Solved: How can I use a combination of an IF statement alo...

jacqu3sy · ‎09-13-2017

Hi,

How can I use a combination of an IF statement along with AND.

I'm looking to run a count whereby IF the _hour is greater than a certain time, AND a server name matches a list, dont include the server in the results.

I have something like this;

mysearch...
| eval hour=tonumber(strftime(_time,"%H"))
| if(hour>2 AND NOT (dest="server1" OR dest="server2" OR dest="server3"))
| stats count by _time, hour, dest, status

Essentially I dont want to include results of a server between certain hours.

Any ideas? Thanks.

DalJeanis · ‎09-13-2017

You are confusing two constructs...

| eval foo=if(bar=2,"value1",field2)

...and...

| where ((bar=2) AND (foo=field2))

...or possibly...

| search ((bar=2) AND (foo="value2"))

Remember that search does not "dereference" the value on the right of the equals sign... it assumes that the thing on the right is a literal or a constant of some sort, as opposed to a field name.

View solution in original post

lfedak_splunk · ‎09-13-2017

Hey @jacqu3sy, if they solved your problem, please remember to "accept" an answer to award karma points and to close the question. You can upvote answers and comments too! All actions award karma points. 🙂

DalJeanis · ‎09-13-2017

You are confusing two constructs...

| eval foo=if(bar=2,"value1",field2)

...and...

| where ((bar=2) AND (foo=field2))

...or possibly...

| search ((bar=2) AND (foo="value2"))

Remember that search does not "dereference" the value on the right of the equals sign... it assumes that the thing on the right is a literal or a constant of some sort, as opposed to a field name.

jacqu3sy · ‎09-15-2017

Something like this you mean?

| eval suppress=if((hour > 2 and hour < 4 AND (dest="x.x.x.x")"yes","no"))
| where suppress="no"

jacqu3sy · ‎09-15-2017

the following worked, thanks for pointing in the right direction:

| eval suppress=if((hour >=10 AND hour <=13) AND (dest="x.x.x.x"),"yes", "no")
| where suppress="no"

DalJeanis · ‎09-15-2017

@jacqu3sy - You can do it in one step...

| where NOT ((hour >=10 AND hour <=13) AND (dest="x.x.x.x"))

...or...

| where hour<10 OR hour>13 OR dest!="x.x.x.x"

jacqu3sy · ‎09-15-2017

I kind of follow, but I'm not sure how I would use this in the example I have.

HiroshiSatoh · ‎09-13-2017

Try this!

(your search) date_hour>2  NOT (dest="server1" OR dest="server2" OR dest="server3")
| stats count by date_hour, dest, status

| eval hour=tonumber(strftime(_time,"%H"))
↓
date_hour

jacqu3sy · ‎09-15-2017

Sorry, but I dont follow this. surely this query would ignore anything that occurs before 2? I only want it to ignore results before 2 when it matches a specific server name.

So I need to produce results ONLY if the hour is greater than 2 AND not a certain server. If the hour is less than 2 but a differant server than that listed in the query, I still need to see the results.

cmerriman · ‎09-13-2017

as a quick note, strftime(_time,"%H") can be different than date_hour when the user is set to a different time zone than the data. strftime(_time,"%H") will put the calculate the hour for the time zone the user is in and date_hour will be the hour the data says.

For instance. if a user is set to be in Central time and data is coming from Pacific time, strftime(_time,"%H") will create a value of 4 and date_hour will have a value of 2.

HiroshiSatoh · ‎09-13-2017

Thank you for your help.

How can I use a combination of an IF statement along with AND?

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...