Splunk Search

if satisfy stat count by eval1 else stat count by eval2

akira2211
Explorer

Hi bro, I have a problem with display next version to compare with current version selected
The code bellow is work, but when i selected the lastest version i can not handle null value in VERSION
I want VERSION will stats count from version_0 (All value excepted current value select) when i select lasted version
How can i display it, appricate thanks for any help !

index=abcd MODEL IN ($model$) BUILDTYPE=$buildtype$ source="source1"
| search VERSION> $version$
| stats count by VERSION

i try the bellow code but it didnt work due to null value in temp will replaced
index=abcd MODEL IN ($model$) BUILDTYPE=$buildtype$ source="source1"
| eval version = VERSION
| eval temp = if(version > $version$, VERSION, null)
| eval temp1 = if(isnull(temp), mvindex(VERSION,1) , temp)
| stats count by temp1

Tags (2)
0 Karma

Richfez
SplunkTrust
SplunkTrust

You very well may be able to just do a

index=abcd MODEL IN ($model$) BUILDTYPE=$buildtype$ source="source1"
| search VERSION> $version$
| fillnull VERSION value=0
| stats count by VERSION

Replace "value=0" with some other value as appropriate.

0 Karma

akira2211
Explorer

Hi. thanks for your help but it doesn't work.
In details:
In Version i have [1,2,3,4,5]
If my $version$ = 3, so, my result will be
VERSION
4
5
but if $version$ = 5. It will return nothing
Expect out put as i hope:
VERSION

1

2

3

4

OR
VERSION
4
3
2
1

0 Karma

woodcock
Esteemed Legend

What do you expect the output to be when $version$ = 5?

0 Karma

akira2211
Explorer

This is data table example

Model             BuildType         Version
    A               type1                1
    A               type2                2
    A               type1                3
    B               type1                4
    B               type2                5
    B               type1                6

I have 2 panel.
Left is panel with version i select from chart.

Right panel is version choise ($version$) with default is next $version$

index=abcd MODEL IN ($model$) BUILDTYPE=$buildtype$ source="source1"
| search VERSION> $version$
| stats count by VERSION

In the above code. When i click on version 3 in chart. I have left panel is version 3. And right will be 4 (Dropdown list with value is 4, 5, 6 . But 4 will be selected)
However, when i choise the lastest version. Example i click on version 6 on chart ($version$ = 6 )
The left panel now will select version = 6. Right panel is no result found ( Null ) now.
The output i expect as bellow

Left Panel                    Right Panel

Version                     Version
   6                              5

This is dropdown list so we also can choice Version in Right to 4,3,2,1

0 Karma

Richfez
SplunkTrust
SplunkTrust

This will be far easier if we know what your data looks like, so can you supply a couple of events for us to look at?

Please use the code button to paste them (101010).

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...