Splunk Search

How to edit my eval=if() statement to output the expected result?

jxiongjx
Engager

In my search I currently have

...| transaction startswith = "start" endswith = "end" maxspan = 10m
| eval current = if(Data1 == "Curr", Data3, null)
| timechart avg(duration) max(current)

My transaction is grouping events how I want them to, but the problem I have is with the eval search. Data1 essentially has a description of the type of data and Data3 has the value. I only care about the data when Data1 is "Curr" so if that case is true, then current should be the value of Data3. If not, then I don't care about Data3 so I set it to null.

(Note that each event has a Data1 and Data3 value so a transaction should have x number of Data1's and Data3's where x is the eventcount)
The goal of the search is to go through each event in a transaction and see if Data1 is "Curr" and to take note of the value and after going through each event in the transaction, to find the max value.

The problem I found is in the result of max(current)
If none of the events in a transaction has Data1="Curr", then there is no max(current) value which is what I am looking for.

But if there is then the max(current) value just finds the max of Data3 regardless of if that event is the one with Data1="Curr"
For example: if a log data has
Event1: start
Event2: Data1 = Curr, Data3 = 5
Event3: Data1 = Volt, Data3 = 10
Event4: end
My current search is outputting max(current) as 10 when I want it to be 5 since the 3rd event is not a Curr event so its Data3 value should not be counted when finding the max.

Any help will be appreciated!

Tags (3)
0 Karma
1 Solution

justinatpnnl
Communicator

The transaction command is making a multi-value field out of Data1, so it will always equal "Curr" in your if statement.

You should be able to fix this by moving your eval before your transaction.

| eval current = if(Data1 == "Curr", Data3, null) 
| transaction startswith="start" endswith="end" 
| timechart avg(duration) max(current)

View solution in original post

justinatpnnl
Communicator

The transaction command is making a multi-value field out of Data1, so it will always equal "Curr" in your if statement.

You should be able to fix this by moving your eval before your transaction.

| eval current = if(Data1 == "Curr", Data3, null) 
| transaction startswith="start" endswith="end" 
| timechart avg(duration) max(current)

jxiongjx
Engager

This works perfectly, thanks so much!

0 Karma
Get Updates on the Splunk Community!

Splunk App for Anomaly Detection End of Life Announcement

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...