Splunk Search

## Logic for looped if greater than statement

Path Finder

Hey There,

Below I have a field in where ABC > 2500 cuz the value is actually 2800. So then If ABC>than 2500 add 1 day to the Human_readable field. I have already created the logic to adding 1 day to the Human_readable field.... Question now is how can I write the logic for it in a nested loop? So If ABC>2500 add 1 day to human readable.

This is my logic that I have thus far:

| eval Then_Set=if(ABC>2500,strftime(strptime(Human_readable,"%B %d, %Y") +86400, "%B %d, %Y")

This is what I have so far:

``````| makeresults

| eval ABC="2800", DEF="3", GHI="5"
| eval rel_Time="11102021"

| eval Epoch_Time=strpTime(rel_Time,"%m%d%Y")
| eval Human_readable=strfTime(Epoch_Time, "%B %d, %Y")

| eval Then_Set=if(ABC>2500,strftime(strptime(Human_readable,"%B %d, %Y") +86400, "%B %d, %Y")

Labels (2)

• ### other

Tags (1)
1 Solution
SplunkTrust

Maybe you can clarify what is expected from this "nested loop" and how is results from the logic you created so far different from the expectation?

By the way, the last if() statement in your illustration is incomplete in syntax.  It should be something like

| eval Then_Set=if(ABC>2500,strftime(strptime(Human_readable,"%B %d, %Y") +86400, "%B %d, %Y"), "none")

For example,

``````| makeresults

| eval ABC="2800", DEF="3", GHI="5"
| eval rel_Time="11102021"

| eval Epoch_Time=strpTime(rel_Time,"%m%d%Y")
| eval Human_readable=strfTime(Epoch_Time, "%B %d, %Y")

| eval Then_Set=if(ABC>2500,strftime(strptime(Human_readable,"%B %d, %Y") +86400, "%B %d, %Y"), "none")

gets you

 Service Epoch_Time Human_readable Add_1day Then_Set Send Alert 1636531200.000000 November 10, 2021 November 11, 2021 November 11, 2021
Path Finder

Thanks, basically it was my syntax that was throwing me off... since I had:

| eval Then_Set=if(ABC>2500,strftime(strptime(Human_readable,"%B %d, %Y") +86400, "%B %d, %Y")

I was not sure of the syntax therefore I was not seeing expected results - and you demonstrated the correct syntax:

`| eval Then_Set=if(ABC>2500,strftime(strptime(Human_readable,"%B %d, %Y") +86400, "%B %d, %Y"), "none")`
SplunkTrust

Maybe you can clarify what is expected from this "nested loop" and how is results from the logic you created so far different from the expectation?

By the way, the last if() statement in your illustration is incomplete in syntax.  It should be something like

| eval Then_Set=if(ABC>2500,strftime(strptime(Human_readable,"%B %d, %Y") +86400, "%B %d, %Y"), "none")

For example,

``````| makeresults

| eval ABC="2800", DEF="3", GHI="5"
| eval rel_Time="11102021"

| eval Epoch_Time=strpTime(rel_Time,"%m%d%Y")
| eval Human_readable=strfTime(Epoch_Time, "%B %d, %Y")

| eval Then_Set=if(ABC>2500,strftime(strptime(Human_readable,"%B %d, %Y") +86400, "%B %d, %Y"), "none")

gets you

 Service Epoch_Time Human_readable Add_1day Then_Set Send Alert 1636531200.000000 November 10, 2021 November 11, 2021 November 11, 2021
Get Updates on the Splunk Community!

#### Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

#### Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

#### Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...