Solved: if else with where clause

dkdeepshikhaa · ‎06-07-2019

required

if (a $lt; b)

eval c=round(((b-a)/b)*100),0)
print c
else
print "no change"

How to get this through splunk query?

vnravikumar · ‎06-07-2019

Hi

Try this

| makeresults 
| eval a=20,b=30 
| eval c=if(a<b,round(((b-a)/b)*100,0),"no change")

View solution in original post

vnravikumar · ‎06-07-2019

Hi

Try this

| makeresults 
| eval a=20,b=30 
| eval c=if(a<b,round(((b-a)/b)*100,0),"no change")

dkdeepshikhaa · ‎06-07-2019

thank you vnravikumar, it worked

kamlesh_vaghela · ‎06-07-2019

@dkdeepshikhaa

Can you please try this?

| makeresults 
| eval a=100,b=20,c="No Change"
| eval c=case(a<b,round(((b-a)/b)*100,0),1=1,c)


| makeresults 
| eval a=100,b=200,c="No Change"
| eval c=case(a<b,round(((b-a)/b)*100,0),1=1,c)

if else with where clause

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation