Solved: How to achieve search that If count is less than 0...

Skysurfer · ‎09-11-2022

Can someone please help me with this.

I have looking for a query so that if count is less than 0 change it to 0, otherwise display actual count.

for example, if the count is -23, the result should be count=0 and if the count is 23, the result should be count=23.

gcusello · ‎09-11-2022

it's hard for me to imagine that a count can be less then zero!

If anyway, you mean a sum called count, you can use an eval like this:

| eval count=if(count>0,count,0)

Ciao.

Giuseppe

View solution in original post

gcusello · ‎09-11-2022

Hi @Skysurfer,

it's hard for me to imagine that a count can be less then zero!

If anyway, you mean a sum called count, you can use an eval like this:

| eval count=if(count>0,count,0)

Ciao.

Giuseppe

Skysurfer · ‎09-11-2022

@gcusello @Thank you, it worked.

Shouldn’t have put it as count as count itself has a different meaning in splunk. It was actually a field value that I was getting by doing some stats sum.

Ciao

gcusello · ‎09-11-2022

Hi @Skysurfer,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

How to achieve search that If count is less than 0 change it to 0?

count

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?