- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to show a true value for the If function?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello All i have the below query which is based on a ping request running on the back end.
the data looks like this
Reply from 192.168.1.1: bytes=32 time=48ms TTL=64
sourcetype=pingr Server=192.168.1.104
| stats avg(ms) as averages by Server
| fields - Server
| appendpipe
[ stats count
| eval averages=0
| where count==0
| fields - count ]
So the below server will give me a value of 0 if the server is actually of instead of no results are found. I was wondering if its possible to show a text like "Server is off" if the value of 0 is returned and show the actual value of the server is on. I have tried the if command with eval and it kind of works but any value other than 0 should show the correct value of average calculated earlier.
Is this possible? Any help is highly appreciated.
thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Generically, you can use an if statement like this: eval averages = if(count=0,"Server is off",averages). Such that if the count is not 0, it retains the original averages value.
But in your case, wouldn't it be a simple matter of changing the eval in the appendpipe part?
sourcetype=pingr Server=192.168.1.104
| stats avg(ms) as averages by Server
| fields - Server
| appendpipe
[ stats count
| eval averages="Server is off"
| where count==0
| fields - count ]
Or am I completely misunderstanding this example query?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Generically, you can use an if statement like this: eval averages = if(count=0,"Server is off",averages). Such that if the count is not 0, it retains the original averages value.
But in your case, wouldn't it be a simple matter of changing the eval in the appendpipe part?
sourcetype=pingr Server=192.168.1.104
| stats avg(ms) as averages by Server
| fields - Server
| appendpipe
[ stats count
| eval averages="Server is off"
| where count==0
| fields - count ]
Or am I completely misunderstanding this example query?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is spot on. I never taught the other way around.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Glad it helped 🙂
Please mark the answer as accepted, so it is clear for others the question has been answered 🙂
Splunk Custom Visualizations App End of Life
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
