Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to show a true value for the If function?

ranjitbrhm1
Communicator
‎06-30-2018 11:02 PM

Hello All i have the below query which is based on a ping request running on the back end.

the data looks like this

Reply from 192.168.1.1: bytes=32 time=48ms TTL=64

sourcetype=pingr Server=192.168.1.104 
| stats avg(ms) as averages by Server 
| fields - Server 
| appendpipe 
    [ stats count 
    | eval averages=0 
    | where count==0 
    | fields - count ]

So the below server will give me a value of 0 if the server is actually of instead of no results are found. I was wondering if its possible to show a text like "Server is off" if the value of 0 is returned and show the actual value of the server is on. I have tried the if command with eval and it kind of works but any value other than 0 should show the correct value of average calculated earlier.
Is this possible? Any help is highly appreciated.
thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎07-01-2018 01:11 AM

Generically, you can use an if statement like this: eval averages = if(count=0,"Server is off",averages). Such that if the count is not 0, it retains the original averages value.

But in your case, wouldn't it be a simple matter of changing the eval in the appendpipe part?

 sourcetype=pingr Server=192.168.1.104 
 | stats avg(ms) as averages by Server 
 | fields - Server 
 | appendpipe 
     [ stats count 
     | eval averages="Server is off"
     | where count==0 
     | fields - count ]

Or am I completely misunderstanding this example query?

View solution in original post

Reply
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎07-01-2018 01:11 AM

Generically, you can use an if statement like this: eval averages = if(count=0,"Server is off",averages). Such that if the count is not 0, it retains the original averages value.

But in your case, wouldn't it be a simple matter of changing the eval in the appendpipe part?

 sourcetype=pingr Server=192.168.1.104 
 | stats avg(ms) as averages by Server 
 | fields - Server 
 | appendpipe 
     [ stats count 
     | eval averages="Server is off"
     | where count==0 
     | fields - count ]

Or am I completely misunderstanding this example query?

Reply
Solved! Jump to solution

ranjitbrhm1
Communicator
‎07-01-2018 01:25 AM

This is spot on. I never taught the other way around.
Thanks

0 Karma
Reply
Solved! Jump to solution

FrankVl
Ultra Champion
‎07-01-2018 01:45 AM

Glad it helped 🙂

Please mark the answer as accepted, so it is clear for others the question has been answered 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...