Splunk Search

How to show a true value for the If function?

ranjitbrhm1
Communicator

Hello All i have the below query which is based on a ping request running on the back end.

the data looks like this

Reply from 192.168.1.1: bytes=32 time=48ms TTL=64

sourcetype=pingr Server=192.168.1.104 
| stats avg(ms) as averages by Server 
| fields - Server 
| appendpipe 
    [ stats count 
    | eval averages=0 
    | where count==0 
    | fields - count ]

So the below server will give me a value of 0 if the server is actually of instead of no results are found. I was wondering if its possible to show a text like "Server is off" if the value of 0 is returned and show the actual value of the server is on. I have tried the if command with eval and it kind of works but any value other than 0 should show the correct value of average calculated earlier.
Is this possible? Any help is highly appreciated.
thanks

0 Karma
1 Solution

FrankVl
Ultra Champion

Generically, you can use an if statement like this: eval averages = if(count=0,"Server is off",averages). Such that if the count is not 0, it retains the original averages value.

But in your case, wouldn't it be a simple matter of changing the eval in the appendpipe part?

 sourcetype=pingr Server=192.168.1.104 
 | stats avg(ms) as averages by Server 
 | fields - Server 
 | appendpipe 
     [ stats count 
     | eval averages="Server is off"
     | where count==0 
     | fields - count ]

Or am I completely misunderstanding this example query?

View solution in original post

FrankVl
Ultra Champion

Generically, you can use an if statement like this: eval averages = if(count=0,"Server is off",averages). Such that if the count is not 0, it retains the original averages value.

But in your case, wouldn't it be a simple matter of changing the eval in the appendpipe part?

 sourcetype=pingr Server=192.168.1.104 
 | stats avg(ms) as averages by Server 
 | fields - Server 
 | appendpipe 
     [ stats count 
     | eval averages="Server is off"
     | where count==0 
     | fields - count ]

Or am I completely misunderstanding this example query?

ranjitbrhm1
Communicator

This is spot on. I never taught the other way around.
Thanks

0 Karma

FrankVl
Ultra Champion

Glad it helped 🙂

Please mark the answer as accepted, so it is clear for others the question has been answered 🙂

0 Karma
Get Updates on the Splunk Community!

New Cloud Intrusion Detection System Add-on for Splunk

In July 2022 Splunk released the Cloud IDS add-on which expanded Splunk capabilities in security and data ...

Happy CX Day to our Community Superheroes!

Happy 10th Birthday CX Day!What is CX Day? It’s a global celebration recognizing innovation and success in the ...

Check out This Month’s Brand new Splunk Lantern Articles

Splunk Lantern is a customer success center providing advice from Splunk experts on valuable data insights, ...