Splunk Search

using where and eval together to create a field based on conditions


I have a search using the predict function

index=core eventtype="Device" DeviceName=Device1 earliest=-10d@d latest=+10d@d | timechart span=d max(ThrputMbps) as ThrputMbps | predict ThrputMbps as predict1 future_timespan=10 holdback=1 | eval LicLimit=410 | fields - upper* lower* | eval lic_hit=if(predic1>=LicLimit,0,500)

What I want to do is somehow capture where the licenc is being hit.

I was thinking of doing something like:

eval lic_hit=if(predic1>=LicLimit,0,500) -- 0 until it is hit and 500 there after

but I cant get this to work. I'm thinking I need a where but I am not sure of the syntax to do this, something like

where predict is >= to Liclimit, create a field called lic_hit from that point, else the field called lic_hit will be zero

![alt text][1]

Tags (5)
0 Karma



Can you please validate is the predic1 is numeric? You can check it by command isnum.


0 Karma


Yes I thinkit is, if my understaning of the if function is right?

I added this to my search
...| | eval test=if(isnum(predict1),"T","F")

And this is a sample of the out put I get.

_time   ThrputMbps  Limit   lic_hit     predict1    test
2015-05-05  367.79  410     500         F
2015-05-06  334.07  410     500         F
2015-05-07  377.12  410     500     300.35  T
2015-05-08  328.83  410     500     375.072319312   T
2015-05-09  312.21  410     500     333.495     T
0 Karma


..| eval lic_hit2=if(min(predict1)<max(hLicLimit),4502,5002) this works but is not what I want, but maybe this expains how the if function works.

what I want is if the value of predict1 is < LicLimit I want lic_hit to have a zero value for that row, else if the value of predict1 is => LicLimit I want lic_hit to have a zero value for that row


 _time     ThrputMbps     Limit     lic_hit     predict1
 2015-05-05     367.79     290     0     289 
 2015-05-06     334.07     290     500     290
 2015-05-07     377.12     290     500     300.35     
 2015-05-08                     290     500     375.072319312     
 2015-05-09                     290     500     333.495    
0 Karma


|eval lic_hit = if(isnum(predict1),if(predict1<LicLimit,0,500),0)

Above command will make sure that if predicted value is not number it will assign 0 to lic_hit.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!