Solved: Custom Condition

TiagoMatos · ‎09-09-2013

Hello, I have a table that returns with these fields: AvgLow and AvgLowNOW, but they appear many times, like this

AvgLow AvgLowNOW
a b
a b
a b
a b
a b

I need to create an alert for when AvgLowNOW is greater then AvgLow. But in custome search condition with "search AvgLowNOW>AvgLow", I catch no events. What can I do to solve this?

Thank you

wagnerbianchi · ‎09-09-2013

Try if() or case() eval functions
http://docs.splunk.com/Documentation/Splunk/5.0.4/SearchReference/Eval

hypothetical example:
index=appmgmt | eval x=if(status>=status_description,1,0) | table x

View solution in original post

rturk · ‎09-10-2013

Hi Tiago,

From your comments in the other answer, it looks as though you're nearly there. The where function is definitely your friend.

<base search> | where AvgLow < AvgLowNOW

This will return all results where AvgLowNOW is greater than AvgLow (no need to dedup)

Reference:

where: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Where

wagnerbianchi · ‎09-09-2013

Try if() or case() eval functions
http://docs.splunk.com/Documentation/Splunk/5.0.4/SearchReference/Eval

hypothetical example:
index=appmgmt | eval x=if(status>=status_description,1,0) | table x

TiagoMatos · ‎09-09-2013

Ok thank you!

wagnerbianchi · ‎09-09-2013

Is that work? look the example I've just sent...

TiagoMatos · ‎09-09-2013

I tried this

search dedup AvgOut,AvgOutQNOW | where AvgOutQNOW>AvgOut

TiagoMatos · ‎09-09-2013

I'm Portuguese, but on my work place I don't have access to skype.

Custom Condition

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor