Solved: How to achieve search that If count is less than 0...

Skysurfer · ‎09-11-2022

Can someone please help me with this.

I have looking for a query so that if count is less than 0 change it to 0, otherwise display actual count.

for example, if the count is -23, the result should be count=0 and if the count is 23, the result should be count=23.

gcusello · ‎09-11-2022

it's hard for me to imagine that a count can be less then zero!

If anyway, you mean a sum called count, you can use an eval like this:

| eval count=if(count>0,count,0)

Ciao.

Giuseppe

View solution in original post

gcusello · ‎09-11-2022

Hi @Skysurfer,

it's hard for me to imagine that a count can be less then zero!

If anyway, you mean a sum called count, you can use an eval like this:

| eval count=if(count>0,count,0)

Ciao.

Giuseppe

Skysurfer · ‎09-11-2022

@gcusello @Thank you, it worked.

Shouldn’t have put it as count as count itself has a different meaning in splunk. It was actually a field value that I was getting by doing some stats sum.

Ciao

gcusello · ‎09-11-2022

Hi @Skysurfer,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

How to achieve search that If count is less than 0 change it to 0?

count

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies