Showing results for

Splunk Search

Showing results for

- Community
- :
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to edit my eval=if() statement to output the e...

- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page

Highlighted

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

jxiongjx

Engager

06-08-2016
02:50 PM

In my search I currently have

```
...| transaction startswith = "start" endswith = "end" maxspan = 10m
| eval current = if(Data1 == "Curr", Data3, null)
| timechart avg(duration) max(current)
```

My transaction is grouping events how I want them to, but the problem I have is with the eval search. Data1 essentially has a description of the type of data and Data3 has the value. I only care about the data when Data1 is "Curr" so if that case is true, then current should be the value of Data3. If not, then I don't care about Data3 so I set it to null.

(Note that each event has a Data1 and Data3 value so a transaction should have x number of Data1's and Data3's where x is the eventcount)

The goal of the search is to go through each event in a transaction and see if Data1 is "Curr" and to take note of the value and after going through each event in the transaction, to find the max value.

The problem I found is in the result of max(current)

If none of the events in a transaction has Data1="Curr", then there is no max(current) value which is what I am looking for.

But if there is then the max(current) value just finds the max of Data3 regardless of if that event is the one with Data1="Curr"

For example: if a log data has

Event1: start

Event2: Data1 = Curr, Data3 = 5

Event3: Data1 = Volt, Data3 = 10

Event4: end

My current search is outputting max(current) as 10 when I want it to be 5 since the 3rd event is not a Curr event so its Data3 value should not be counted when finding the max.

Any help will be appreciated!

1 Solution

Highlighted

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

justinatpnnl

Communicator

06-08-2016
05:04 PM

The transaction command is making a multi-value field out of Data1, so it will always equal "Curr" in your if statement.

You should be able to fix this by moving your eval before your transaction.

```
| eval current = if(Data1 == "Curr", Data3, null)
| transaction startswith="start" endswith="end"
| timechart avg(duration) max(current)
```

Highlighted
##

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Re: How to edit my eval=if() statement to output the expected result?

jxiongjx

Engager

06-09-2016
02:33 PM

This works perfectly, thanks so much!