I want to find the ResultMin that "Pass" or "Fail" depending on the specific PriorityDuration that is classified by an INTERNALPRIORITY. Here is the code:
$INTERNALPRIORITY$ | eval ActualStart=strptime(ACTUALSTART,"%m/%d/%Y %I:%M:%S %p"), WorkLogEntry=strptime(WORKLOGENTRYDATE,"%m/%d/%Y %I:%M:%S %p") | stats first(WorkLogEntry) as firstLog , values(ActualStart) as ActualStart by TICKETID | eval result=firstLog-ActualStart | convert dur2sec(result) as ResultSec | eval ResultMin=ResultSec/1440 **| eval PriorityDuration=case(INTERNALPRIORITY==1,"15",INTERNALPRIORITY==2,"30",INTERNALPRIORITY==3,"60")** **| eval SLA1=if(ResultMin>PriorityDuration, "Fail", "Pass")** | stats values(SLA1) AS "SLA1 Result" by TICKETID
The $INTERNALPRIORITY$ is based on a filter, where I can chose a number (1,2, or 3). If chosen INTERNALPRIORITY 1 then the code should use 15 for the next eval statement, and so on. The result is only giving me "Pass", meaning it is not taking the PriorityDuration correctly on the bolded lines. I need to be able to use the PriorityDuration result based on the INTERNALPRIORITY chosen to compare in the if statement.
Am I using the right eval/case/if statement?
Best thing to do for debugging is to execute your search step by step and confirm each row is working as expected.
So start with running just
... | eval ActualStart=strptime(ACTUALSTART,"%m/%d/%Y %I:%M:%S %p"), WorkLogEntry=strptime(WORKLOGENTRYDATE,"%m/%d/%Y %I:%M:%S %p") | stats first(WorkLogEntry) as firstLog , values(ActualStart) as ActualStart by TICKETID
And if that is all as expected, then add the rest step by step, testing each additional step before adding the next.
Might be the
| convert dur2sec(result) as ResultSec. You're subtracting 2 epoch format timestamps. which already results in a simple number of seconds. That convert is not necessary and may fail, causing the ResultSec field not to be populated / populated with an incorrect value.
Also, my SLA1 if statement has worked when I just add a number instead of linking to the Priority duration case statement. So, it is the Case statement that is probably not the right way to do it.
Guess you need to put
$ signs around that token name (if it is indeed a dashboard token as you mentioned earlier).
You probably could also configure that filter dropdown to use 1,2,3 for the names of the values (as displayed in the dropdown) and use 15,30 and 60 as the actual values being passed through the token, so you don't need that case statement in the first place.