Solved: Re: How to make a multiple condition IF statement ...

dbcase · ‎05-29-2018

Hi,

This should be easy but for some reason, my brain is making it hard. I'm trying to get a 2-condition IF statement to work and well needless to say not successfully so far.

Here is the synopsis:

If the model of a camera is iCamera2-C then add -20 to the rssiid field, but only if the rssiid field is NOT zero. I've tried multiple different ways of approaching this and I can get one condition to work but not both.

Here is the latest non-working one

eval rssiid=if((cmodel!="iCamera2-C") OR (rssiid=0),rssiid,rssiid+-20)

somesoni2 · ‎05-29-2018

How about this?

....| eval rssiid=if(cmodel="iCamera2-C" AND rssiid!=0, rssiid+20,rssiid)

View solution in original post

somesoni2 · ‎05-29-2018

How about this?

....| eval rssiid=if(cmodel="iCamera2-C" AND rssiid!=0, rssiid+20,rssiid)

dbcase · ‎05-29-2018

no joy 😞 . I had tried that one earlier but tried it again and no luck. Something tells me it has to do with this mvzip/mvexpand thing you helped me with before. Maybe the whole query would help

index="camera_status" sourcetype=access_combined_camerastatus 8773|rex max_match=0 "Premise=\s+(?<premiseid>\d+)"|rex max_match=0 "Mac=\s+(?<macid>[a-fA-F0-9\.:-]{12,17})"|rex max_match=0 "RSSI=\s+(?<rssiid>[^\s]+)"|rex max_match=0 "Model=\s+(?<cmodel>.+)"|dedup macid|eval temp=mvzip(macid,rssiid,"###") |mvexpand temp | rex field=temp "(?<macid>.+)###(?<rssiid>.+)"|eval rssiid=if(rssiid="dB",0,rssiid)|eval rssiid=if(cmodel="iCamera2-C" AND rssiid!=0, rssiid+-20,rssiid)|stats list(macid) as MAC, count(macid) as "Number of Cameras", list(rssiid) as RSSI  by premiseid|sort premiseid RSSI|rename RSSI as "Current RSSI"|rename premiseid as "PREMISE - Click for Detail"

somesoni2 · ‎05-29-2018

Whats the output of above command (what values are there in rssiid column, are they zero ?).

dbcase · ‎05-29-2018

Here is a sample

Current RSSI

0
0
-47
0

-27
-60
-45
-47
-59
-48

-52
-61
0
0

-51
-35
-45
-52
-45
-45

somesoni2 · ‎05-29-2018

Try adding this eval before the iCamera2 eval

...| eval rssiid=tonumber(trim(rssiid)) |eval rssiid=if(cmodel="iCamera2-C....."

dbcase · ‎05-29-2018

Got it, using your help on the mvzip as a primer 🙂 . TY!!!

index="cox_camera_status" sourcetype=access_combined_cox_camerastatus |rex max_match=0 "Premise=\s+(?<premiseid>\d+)"|rex max_match=0 "Mac=\s+(?<macid>[a-fA-F0-9\.:-]{12,17})"|rex max_match=0 "RSSI=\s+(?<rssiid>[^\s]+)"|rex max_match=0 "Model=\s+(?<cmodel>.+)"|dedup macid|eval temp=mvzip(mvzip(macid,rssiid,"###"),cmodel,"###")|mvexpand temp | rex field=temp "(?<macid>.+)###(?<rssiid>.+)###(?<cmodel>.+)"|eval rssiid=if(cmodel="iCamera2-C" AND rssiid!=0, rssiid+-20,rssiid)|eval rssiid=if(rssiid="dB",0,rssiid)|stats list(macid) as MAC, list(cmodel) as "Camera Model" count(macid) as "Number of Cameras", list(rssiid) as RSSI  by premiseid|sort premiseid RSSI|rename RSSI as "Current RSSI"|rename premiseid as "PREMISE - Click for Detail"

How to make a multiple condition IF statement work?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?