Solved: How to make a multiple condition IF statement work...

dbcase · ‎05-29-2018

Hi,

This should be easy but for some reason, my brain is making it hard. I'm trying to get a 2-condition IF statement to work and well needless to say not successfully so far.

Here is the synopsis:

If the model of a camera is iCamera2-C then add -20 to the rssiid field, but only if the rssiid field is NOT zero. I've tried multiple different ways of approaching this and I can get one condition to work but not both.

Here is the latest non-working one

eval rssiid=if((cmodel!="iCamera2-C") OR (rssiid=0),rssiid,rssiid+-20)

somesoni2 · ‎05-29-2018

How about this?

....| eval rssiid=if(cmodel="iCamera2-C" AND rssiid!=0, rssiid+20,rssiid)

View solution in original post

somesoni2 · ‎05-29-2018

How about this?

....| eval rssiid=if(cmodel="iCamera2-C" AND rssiid!=0, rssiid+20,rssiid)

dbcase · ‎05-29-2018

no joy 😞 . I had tried that one earlier but tried it again and no luck. Something tells me it has to do with this mvzip/mvexpand thing you helped me with before. Maybe the whole query would help

index="camera_status" sourcetype=access_combined_camerastatus 8773|rex max_match=0 "Premise=\s+(?<premiseid>\d+)"|rex max_match=0 "Mac=\s+(?<macid>[a-fA-F0-9\.:-]{12,17})"|rex max_match=0 "RSSI=\s+(?<rssiid>[^\s]+)"|rex max_match=0 "Model=\s+(?<cmodel>.+)"|dedup macid|eval temp=mvzip(macid,rssiid,"###") |mvexpand temp | rex field=temp "(?<macid>.+)###(?<rssiid>.+)"|eval rssiid=if(rssiid="dB",0,rssiid)|eval rssiid=if(cmodel="iCamera2-C" AND rssiid!=0, rssiid+-20,rssiid)|stats list(macid) as MAC, count(macid) as "Number of Cameras", list(rssiid) as RSSI  by premiseid|sort premiseid RSSI|rename RSSI as "Current RSSI"|rename premiseid as "PREMISE - Click for Detail"

somesoni2 · ‎05-29-2018

Whats the output of above command (what values are there in rssiid column, are they zero ?).

dbcase · ‎05-29-2018

Here is a sample

Current RSSI

0
0
-47
0

-27
-60
-45
-47
-59
-48

-52
-61
0
0

-51
-35
-45
-52
-45
-45

somesoni2 · ‎05-29-2018

Try adding this eval before the iCamera2 eval

...| eval rssiid=tonumber(trim(rssiid)) |eval rssiid=if(cmodel="iCamera2-C....."

dbcase · ‎05-29-2018

Got it, using your help on the mvzip as a primer 🙂 . TY!!!

index="cox_camera_status" sourcetype=access_combined_cox_camerastatus |rex max_match=0 "Premise=\s+(?<premiseid>\d+)"|rex max_match=0 "Mac=\s+(?<macid>[a-fA-F0-9\.:-]{12,17})"|rex max_match=0 "RSSI=\s+(?<rssiid>[^\s]+)"|rex max_match=0 "Model=\s+(?<cmodel>.+)"|dedup macid|eval temp=mvzip(mvzip(macid,rssiid,"###"),cmodel,"###")|mvexpand temp | rex field=temp "(?<macid>.+)###(?<rssiid>.+)###(?<cmodel>.+)"|eval rssiid=if(cmodel="iCamera2-C" AND rssiid!=0, rssiid+-20,rssiid)|eval rssiid=if(rssiid="dB",0,rssiid)|stats list(macid) as MAC, list(cmodel) as "Camera Model" count(macid) as "Number of Cameras", list(rssiid) as RSSI  by premiseid|sort premiseid RSSI|rename RSSI as "Current RSSI"|rename premiseid as "PREMISE - Click for Detail"

How to make a multiple condition IF statement work?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Join the Conversation