Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to Formulate an if Function for a Simple Math Problem

MeMilo09
Path Finder
‎12-01-2021 06:11 PM

Hi There, 

I am probably making this more confusing for myself than it needs to be, but its a simple concept.  Here is the scenario. If an invite is emailed and no confirmation is received within 1 day from email being sent then it is "In Progress" otherwise its a failure.  Please help formulate, basically if no confirmation is received within 1 day its in progress. I would like to keep my times all in epoch. Thank You in advance 

| makeresults 
| eval email_sent=1637978619.056000
| eval time_passed_no_confirmation=86400
| eval confirmation_remains_null="null"




Labels (2)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎12-01-2021 10:56 PM

I can see how a seemingly simple problem becomes confusing when you have multiple factors to consider.  Let me try to understand the question with two different assumptions.

If elapsed time since email_sent is the only factor, all you need to know is the function now():

 

| eval status = if(now() - email_sent > time_passed_no_confirmation, "fail", "in progress")

 

However, I suspect that your problem is not as simple, because your data emulation includes another variable, confirmation_remains_null.  I suspect  that your use case calls for a 3-state outcome, fail, in progress, and completed, the "completed" state being reached when confirmation_remains_null is no longer "null" within 1 day.

If this this the case, the following simulates the 3 possible states

 

| makeresults count=3
| eval time_passed_no_confirmation=86400
| streamstats count
| eval email_sent = now() - count * 30000
| eval confirmation_remains_null=if(count==2, "received", "null")

``` calculate difference between now and email_sent, also check confirmation state ```
| eval status = case(now() - email_sent > time_passed_no_confirmation, "fail", confirmation_remains_null == "null", "in progress", true(), "confirmed")

 

_timeconfirmation_remains_nullcountemail_sentstatustime_passed_no_confirmation
2021-12-01 22:52:34null11638397953in progress86400
2021-12-01 22:52:34received21638367953confirmed86400
2021-12-01 22:52:34null31638337953fail86400
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...