Splunk Search

using where and eval together to create a field based on conditions


I have a search using the predict function

index=core eventtype="Device" DeviceName=Device1 earliest=-10d@d latest=+10d@d | timechart span=d max(ThrputMbps) as ThrputMbps | predict ThrputMbps as predict1 future_timespan=10 holdback=1 | eval LicLimit=410 | fields - upper* lower* | eval lic_hit=if(predic1>=LicLimit,0,500)

What I want to do is somehow capture where the licenc is being hit.

I was thinking of doing something like:

eval lic_hit=if(predic1>=LicLimit,0,500) -- 0 until it is hit and 500 there after

but I cant get this to work. I'm thinking I need a where but I am not sure of the syntax to do this, something like

where predict is >= to Liclimit, create a field called lic_hit from that point, else the field called lic_hit will be zero

![alt text][1]

Tags (5)
0 Karma



Can you please validate is the predic1 is numeric? You can check it by command isnum.


0 Karma


Yes I thinkit is, if my understaning of the if function is right?

I added this to my search
...| | eval test=if(isnum(predict1),"T","F")

And this is a sample of the out put I get.

_time   ThrputMbps  Limit   lic_hit     predict1    test
2015-05-05  367.79  410     500         F
2015-05-06  334.07  410     500         F
2015-05-07  377.12  410     500     300.35  T
2015-05-08  328.83  410     500     375.072319312   T
2015-05-09  312.21  410     500     333.495     T
0 Karma


..| eval lic_hit2=if(min(predict1)<max(hLicLimit),4502,5002) this works but is not what I want, but maybe this expains how the if function works.

what I want is if the value of predict1 is < LicLimit I want lic_hit to have a zero value for that row, else if the value of predict1 is => LicLimit I want lic_hit to have a zero value for that row


 _time     ThrputMbps     Limit     lic_hit     predict1
 2015-05-05     367.79     290     0     289 
 2015-05-06     334.07     290     500     290
 2015-05-07     377.12     290     500     300.35     
 2015-05-08                     290     500     375.072319312     
 2015-05-09                     290     500     333.495    
0 Karma


|eval lic_hit = if(isnum(predict1),if(predict1<LicLimit,0,500),0)

Above command will make sure that if predicted value is not number it will assign 0 to lic_hit.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...