Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why does my search with an eval if condition always return false?

cdstealer
Contributor
‎06-16-2015 04:22 AM

Hi,

I'm having difficulty in using a field in a dashboard. I have 3 fields that I'm trying to use some logic with.

qos_metric, qos_bandwidth & qos_thruput

I tried this, but it always returns false:

   | eval qos_unit=if(qos_metric == "Bandwidth", qos_bandwidth, qos_thruput)

The index always contains qos_bandwidth & qos_thruput together, but I only require one.

The logic:
if qos_metric == Bandwidth then qos_unit contains the value of qos_bandwidth, else qos_unit contains the value of qos_thruput.

The search (to add context):

Index=storage_arrays sourcetype=qos dev_name=$device$ qos_class=$class$ | eval qos_unit=if(qos_metric == "Bandwidth", qos_bandwidth, qos_thruput) | chart avg(qos_unit) as "QoS" avg(qos_metric_value) as Limit over _time by qos_class | eval _span=4

I hope I explained OK.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

cdstealer
Contributor
‎06-17-2015 12:03 AM

Instead of trying to go through an eval condition, I've created an input with the static values Name=Bandwidth Value=qos_bandwidth, Name=Throughput,Value=qos_thruput. I then removed the entire eval statement. This seems to work as expected 🙂 It just means a manual step rather than automated.

index="storage_arrays" sourcetype="qos" dev_name="$device$" qos_class="$class$" | chart avg($qosVol$) as "QoS" avg(qos_metric_value) as "Limit" over _time by qos_class

Thank you for all your time.

EDIT

Managed to automate it and thought I'd add it just in case.

index="storage_arrays" sourcetype="qos" dev_name="$device$" qos_class="$class$" | fields qos_class dev_name qos_metric qos_bandwidth qos_thruput qos_metric_value | transaction qos_metric qos_bandwidth qos_thruput qos_class dev_name | eval qos_unit=if(qos_metric == "Bandwidth", qos_bandwidth, qos_thruput)| chart avg(qos_unit) as "QoS" avg(qos_metric_value) as "Limit" over _time by qos_class

Breakdown:

<main search populated by form options> | <only return the fields I'm interested in> | <merge the fields> The "qos_metric" field is from a second source, so creates a separate event to the other fields. | <If statement so if qos_metric is Bandwidth only return qos_bandwidth value, else qos_thruput values.> | <stick it in a chart so we can do pretty graphs>

Thanks

View solution in original post

Reply
Solved! Jump to solution
Solution

cdstealer
Contributor
‎06-17-2015 12:03 AM

Instead of trying to go through an eval condition, I've created an input with the static values Name=Bandwidth Value=qos_bandwidth, Name=Throughput,Value=qos_thruput. I then removed the entire eval statement. This seems to work as expected 🙂 It just means a manual step rather than automated.

index="storage_arrays" sourcetype="qos" dev_name="$device$" qos_class="$class$" | chart avg($qosVol$) as "QoS" avg(qos_metric_value) as "Limit" over _time by qos_class

Thank you for all your time.

EDIT

Managed to automate it and thought I'd add it just in case.

index="storage_arrays" sourcetype="qos" dev_name="$device$" qos_class="$class$" | fields qos_class dev_name qos_metric qos_bandwidth qos_thruput qos_metric_value | transaction qos_metric qos_bandwidth qos_thruput qos_class dev_name | eval qos_unit=if(qos_metric == "Bandwidth", qos_bandwidth, qos_thruput)| chart avg(qos_unit) as "QoS" avg(qos_metric_value) as "Limit" over _time by qos_class

Breakdown:

<main search populated by form options> | <only return the fields I'm interested in> | <merge the fields> The "qos_metric" field is from a second source, so creates a separate event to the other fields. | <If statement so if qos_metric is Bandwidth only return qos_bandwidth value, else qos_thruput values.> | <stick it in a chart so we can do pretty graphs>

Thanks

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-16-2015 08:06 AM

Try this:

Index=storage_arrays sourcetype=qos dev_name=$device$ qos_class=$class$ | eval qos_unit=if(like(qos_metric,"%Bandwidth%"), qos_bandwidth, qos_thruput) | chart avg(qos_unit) as "QoS" avg(qos_metric_value) as Limit over _time by qos_class

The only reason that this makes sense ("if" is always true) is if your test is not what you think it is; this test is a little more flexible to accommodate bounding whitespace.

0 Karma
Reply
Solved! Jump to solution

cdstealer
Contributor
‎06-17-2015 12:00 AM

Hi, Thanks again. Still no joy 😞 Though I have sorted it another way 🙂 Answer to follow.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-16-2015 06:33 AM

You explained everything except for the problem that you are having. According to your "question" everything is A-OK and working fine. IMHO there is nothing wrong with your search string with the exception that the final clause ( | eval _span=4 ) is useless and does nothing (which makes me think that you are trying to have it do something, which maybe is the "unspoken problem" that you are having). Clarify your problem and maybe we can help you. In any case, the search you posted should do exactly as you indicated is your desire.

0 Karma
Reply
Solved! Jump to solution

cdstealer
Contributor
‎06-16-2015 07:30 AM

Hi, I removed the |eval span=4 to be safe which made no difference. The problem that I'm having is that the if-then-else is alway returning false which make qos_unit always have the value of qos_thruput even if qos_metric is Bandwidth. So to explain:

If qos_metric = bandwidth then let qos_unit contain qos_bandwidth values else qos_unit contains qos_thruput values.

0 Karma
Reply
Solved! Jump to solution

stephanefotso
Motivator
‎06-16-2015 05:19 AM

Hello! I think the error should be your avg(qos_unit) and avg(qos_metric_value). Make sure that qos_unit and qos_metric_value have numerical values since avg will only work with numerical values. If not, try another function

Thanks.

SGF
Reply
Solved! Jump to solution

cdstealer
Contributor
‎06-16-2015 05:42 AM

Hi, The two fields only contain integers. And I've pretty much worked my way through doc.

0 Karma
Reply
Solved! Jump to solution

stephanefotso
Motivator
‎06-16-2015 07:26 AM

Run your search without a token and let know what happen

Index=storage_arrays sourcetype=qos dev_name=* qos_class=* | eval qos_unit=if(qos_metric == "Bandwidth", qos_bandwidth, qos_thruput) | chart avg(qos_unit) as "QoS" avg(qos_metric_value) as Limit over _time by qos_class
SGF
0 Karma
Reply
Solved! Jump to solution

fdi01
Motivator
‎06-16-2015 04:30 AM

if "Bandwidth" is an field, try like :

index=storage_arrays sourcetype=qos dev_name=$device$ qos_class=$class$ | eval qos_unit=if(qos_metric == Bandwidth, qos_bandwidth, qos_thruput) | chart avg(qos_unit) as "QoS" avg(qos_metric_value) as Limit over _time by qos_class | eval _span=4

or
if "Bandwidth" is an string , the you querry is verry OK .

0 Karma
Reply
Solved! Jump to solution

cdstealer
Contributor
‎06-16-2015 04:38 AM

Hi fdi01, Thanks for the reply. The quotes (with/without) make no difference. 😞

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...