Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to Formulate an if Function for a Simple Math Problem

MeMilo09
Path Finder
‎12-01-2021 06:11 PM

Hi There, 

I am probably making this more confusing for myself than it needs to be, but its a simple concept.  Here is the scenario. If an invite is emailed and no confirmation is received within 1 day from email being sent then it is "In Progress" otherwise its a failure.  Please help formulate, basically if no confirmation is received within 1 day its in progress. I would like to keep my times all in epoch. Thank You in advance 

| makeresults 
| eval email_sent=1637978619.056000
| eval time_passed_no_confirmation=86400
| eval confirmation_remains_null="null"




Labels (2)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎12-01-2021 10:56 PM

I can see how a seemingly simple problem becomes confusing when you have multiple factors to consider.  Let me try to understand the question with two different assumptions.

If elapsed time since email_sent is the only factor, all you need to know is the function now():

 

| eval status = if(now() - email_sent > time_passed_no_confirmation, "fail", "in progress")

 

However, I suspect that your problem is not as simple, because your data emulation includes another variable, confirmation_remains_null.  I suspect  that your use case calls for a 3-state outcome, fail, in progress, and completed, the "completed" state being reached when confirmation_remains_null is no longer "null" within 1 day.

If this this the case, the following simulates the 3 possible states

 

| makeresults count=3
| eval time_passed_no_confirmation=86400
| streamstats count
| eval email_sent = now() - count * 30000
| eval confirmation_remains_null=if(count==2, "received", "null")

``` calculate difference between now and email_sent, also check confirmation state ```
| eval status = case(now() - email_sent > time_passed_no_confirmation, "fail", confirmation_remains_null == "null", "in progress", true(), "confirmed")

 

_timeconfirmation_remains_nullcountemail_sentstatustime_passed_no_confirmation
2021-12-01 22:52:34null11638397953in progress86400
2021-12-01 22:52:34received21638367953confirmed86400
2021-12-01 22:52:34null31638337953fail86400
0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...
Top