Splunk Search

How to show a true value for the If function?

ranjitbrhm1
Communicator

Hello All i have the below query which is based on a ping request running on the back end.

the data looks like this

Reply from 192.168.1.1: bytes=32 time=48ms TTL=64

sourcetype=pingr Server=192.168.1.104 
| stats avg(ms) as averages by Server 
| fields - Server 
| appendpipe 
    [ stats count 
    | eval averages=0 
    | where count==0 
    | fields - count ]

So the below server will give me a value of 0 if the server is actually of instead of no results are found. I was wondering if its possible to show a text like "Server is off" if the value of 0 is returned and show the actual value of the server is on. I have tried the if command with eval and it kind of works but any value other than 0 should show the correct value of average calculated earlier.
Is this possible? Any help is highly appreciated.
thanks

0 Karma
1 Solution

FrankVl
Ultra Champion

Generically, you can use an if statement like this: eval averages = if(count=0,"Server is off",averages). Such that if the count is not 0, it retains the original averages value.

But in your case, wouldn't it be a simple matter of changing the eval in the appendpipe part?

 sourcetype=pingr Server=192.168.1.104 
 | stats avg(ms) as averages by Server 
 | fields - Server 
 | appendpipe 
     [ stats count 
     | eval averages="Server is off"
     | where count==0 
     | fields - count ]

Or am I completely misunderstanding this example query?

View solution in original post

FrankVl
Ultra Champion

Generically, you can use an if statement like this: eval averages = if(count=0,"Server is off",averages). Such that if the count is not 0, it retains the original averages value.

But in your case, wouldn't it be a simple matter of changing the eval in the appendpipe part?

 sourcetype=pingr Server=192.168.1.104 
 | stats avg(ms) as averages by Server 
 | fields - Server 
 | appendpipe 
     [ stats count 
     | eval averages="Server is off"
     | where count==0 
     | fields - count ]

Or am I completely misunderstanding this example query?

ranjitbrhm1
Communicator

This is spot on. I never taught the other way around.
Thanks

0 Karma

FrankVl
Ultra Champion

Glad it helped 🙂

Please mark the answer as accepted, so it is clear for others the question has been answered 🙂

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...