Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

if then to differentiate fields / variables?

rkappler
Explorer
‎08-06-2015 08:07 AM

I have data over time on the aging of ssd's that gives me a date, identifying information and a 'health' number. I want to get rates of change of that health number. My search thus far is:
source=new.csv (NOT Health:0 NOT Health:MISSING date=20150407 OR date=20150529 OR date=20150727) | eval combo = IP + Disk | transaction combo
I need to differentiate the health based on date so that I can calculate rates of change based on time interval, in other words I'd like to do:

(MayHealth - AprilHealth)/52 and so on to get the rate of change per day for each date pair.

My problem is I'm floundering figuring out how to differentiate each health. I do programming in several languages but am new to Splunk, so my initial reaction was to do (pseudocode):
if date = 20150407 then health = AprilHealth
elif date = 20150529 the health = MayHealth
else health = JulyHealth

Any suggestions? I think I'm looking for an eval function, or possible a rename, or maybe a rename within an if (is that even possible) but am stuck.

regards, Richard

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rkappler
Explorer
‎08-06-2015 08:56 AM

We ended up doing:
...| eval apr=if(date=20150407, Health, NULL) | eval may=if(date=20150529, Health, NULL) | eval jul=if(date=20150727, Health, NULL) | ...

Thanks for the input though, I'm off to try they case statement

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

rkappler
Explorer
‎08-06-2015 08:56 AM

We ended up doing:
...| eval apr=if(date=20150407, Health, NULL) | eval may=if(date=20150529, Health, NULL) | eval jul=if(date=20150727, Health, NULL) | ...

Thanks for the input though, I'm off to try they case statement

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-06-2015 08:19 AM

Perhaps the case statement will do.

... | eval health=case(date = 20150407, AprilHealth, date = 20150529, MayHealth,1=1, JulyHealth) | ...
---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Your Guide to Splunk Digital Experience Monitoring

A flawless digital experience isn't just an advantage, it's key to customer loyalty and business success. But ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...