Splunk Search

evaluation with condition

zacksoft
Contributor

I have two values x and y. Both values are dynamic (keeps on changing).
x indicates _time and y indicates a value that continuosly changes with time.
I want the value of y at two particular instances of x.

I do this,
|eval mytime = round(_time)
|eval mytime2 = round(_time) - 40

I wish to have value of y when x's value is mytime and
the value of y when x's value is mytime2 (i.e. 40 sec before current time)
If condition only helps to get the value of y when x is mytime, but it won't help when x = mytime2. When x=mytime2 , it still gives the same value as mytime. But it shouldn't be the case.

Tags (1)
0 Karma

ppuru
Path Finder

_time in Splunk is always in epoch format even though it shows up in human readable format. You can see in this action when you assign _time to a custom field. Ex. eval Time = _time.
With this thought in mind, if you put-in conditions to check Time (Y) to show values of X, I assume it will yield results as intended.

0 Karma

493669
Super Champion

Try this:

...|eval result= case(x=mytime,y, x=mytime2,y)

zacksoft
Contributor

I tried this and I get empty value(nothing) for y1 and y2.
y1 is where I want to save y's value when it matches with mytime
y2 is where I want to save y's value when it matches mytime2.
This is what I tried

| eval mytime = round(_time) | eval mytime2= round(_time)-40
| eval x = round(_time)
| eval result= case(x=mytime,y1, x=mytime2,y2)
| table mytime,mytime2,y1,y2

0 Karma

zacksoft
Contributor

@493669
Thanks for your analysis. It was helpful. I'll look into it.

0 Karma

FrankVl
Ultra Champion

What is the data that you used for this test? Specifically: do fields y1 and y2 actually exist?

It would really help if you're a bit more clear in exactly what you are trying and what you expect as the outcome.

0 Karma

zacksoft
Contributor

y's value changes based on x. and x indicates _time in real -time.
I am looking to find the value of y based on two different instance of time(x) and save it in y1 and y2 respectively. y1 and y2 don't exist.

I tried this
| eval mytime = round(_time)
| eval mytime2= round(_time)-40
| eval x = round(_time)
| eval result= case(x=mytime,y1, x=mytime2,y2)
| table mytime,mytime2,y1,y2

this didn't give any result

0 Karma

FrankVl
Ultra Champion

As @493669 already mentions above: if you set x=round(_time), how will it ever match anything else then mytime (which you also set to round(_time).

And eval result=case... stores the content of y1 or y2 (depending on which case is true) in the result field. So if y1 and y2 are empty, of course that gives no result.

I think two things are making it hard to answer this properly:
1: your explanation of exactly what data you have and what you want as a result remains vague.
2: people still try to help you along with examples, but you don't fully understand some of the commands suggested, which causes you to glue examples together in ways that don't make much sense, which only adds to the confusion.

So:
Please be more clear in describing what data you have and what you want to achieve AND when someone presents an example, check the Splunk search reference documentation and make sure you understand what the commands do and how to use them, so you know how to apply it to your use case.

Sorry for perhaps being a bit direct on this, but in the end that is the way you will take the most out of such discussions and really improve your Splunk search skills 🙂

0 Karma

zacksoft
Contributor

Thanks for the feedback. I'll look into it.

0 Karma

493669
Super Champion

try this:

| eval mytime = round(_time) | eval mytime2= round(_time)-40
| eval x = round(_time) 
|eval y1=if(x=mytime,y), y2=if(x=mytime2,y)
|table mytime,mytime2,y1,y2
0 Karma

zacksoft
Contributor

Error in 'eval' command: The arguments to the 'if' function are invalid.

0 Karma

493669
Super Champion

does in your data y field exists?

0 Karma

493669
Super Champion

ohh my mistake.. try this

| eval mytime = round(_time) | eval mytime2= round(_time)-40
 | eval x = round(_time) 
 |eval y1=if(x=mytime,y,null()), y2=if(x=mytime2,y,null())
 |table mytime,mytime2,y1,y2
0 Karma

493669
Super Champion

here if x value matches with mytime then store y's value in y1 else null.
similarly if x value matches with mytime2 then store y's value in y2 else store null.
this is basic understanding of this query

0 Karma

zacksoft
Contributor

| eval mytime = round(_time) | eval mytime2= round(_time)-40
| eval x = round(_time)
| eval y1=if(x=mytime,y,null()), y2=if(x=mytime2,y,null())
| table mytime,mytime2,y1,y2

somehow x value (i.e. the current time) matches with mytime and gives y data, BUT x value doesn't match with mytime2(i.e. 40 sec previous data) and gives null.

I tried changing 'mytime2' to -40, -60, -30 etc... But same result.

0 Karma

zacksoft
Contributor

@493669
I think, if "x" were some other alphanumeric value except " _time" it might have worked.
When it comes to '_time' the anomaly rises. But I could be wrong.
I have applied the same logic at other instances and it have worked, But when it comes to comparing _time field it shows weirdness.

0 Karma

493669
Super Champion

not able to understand what you exactly want to achieve?
if could you provide exact sample input and expected output...

0 Karma

493669
Super Champion

one thing i noticed how it could match x=mytime2 as you already set x value nothing but mytime value ....because mytime=round(_time) and x value is also round(_time)

0 Karma

zacksoft
Contributor

I tried this
| eval mytime = round(_time) | eval mytime2= round(_time)-40
| eval x = round(_time), x2 = round(_time)-40
| eval y1=if(x=mytime,y,null()), y2=if(x2=mytime2,y,null())
| table mytime,mytime2,y1,y2

This gives me y2 value , but not the correct value. It shows me the same y2 value that of y1. I think when the condition x2=mytime2 becomes true , it is giving us the "current value of y" instead of giving the "40 sec older value of y".
But I want both the current y value and 40 sec older y value .

0 Karma

FrankVl
Ultra Champion

You do realize all those eval statements work event by event, right?

So for any given event there is only 1 y value. So not sure how you expect to get different results from those case statements. Since your data already has timestamps, why are you evaluating x like this?

You have data where x is a (rounded) timestamp, and y is the value you are looking for, right?

And you want (in the end) to find those y values where x is either equal to current time (now()) or equal to 40 seconds ago?

To me that sounds like something that would look like this:

...your search that returns data with timestamp in x and data value in y...
| eval mytime=now() | eval mytime2=now()-40
| where x=mytime OR x=mytime2
| table x,y

Which will return only those lines from your data where the timestamp in field x is equal to now() or now()-40.

0 Karma

zacksoft
Contributor

This worked. But only for y1. I don't see any values for y2. y2 column comes empty.
And yes, y has value in it.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...