- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Issue with if()?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey everyone. I am working to try and take a call record, subtract the time a call was placed from the time it was answered. This much works. After that I am trying to take the resulting number, and if its less than 30 eval it into another column. Here's the code:
index="sandbox" sourcetype="AS-CDR"
|where Called_Number="2155551060" OR Calling_Number="2155551060" OR Called_Number="12155551060" OR Calling_Number="12155551060" OR Called_Number="+12155551060" OR Calling_Number="+12155551060"
|eval TimeToAnswer=strptime(Answer_Time, "%Y%m%d%H%M%S.%q") - strptime(Start_Time, "%Y%m%d%H%M%S.%q")
|eval TimeToAnswerTest=if((TimeToAnswer<"30"),1,0)
|table TimeToAnswer TimeToAnswerTest
For some of the calls a result of 1 is seen when it should be. However for others, it isn't. Here are some example values that I'm getting back:
TimeToAnswer~TimeToAnswerTest 67.151000~0 (correct) 8.930000~0 (incorrect) 2.568000~1 (correct) 5.115000~0 (incorrect) 3.341000~1 (correct)
Any advice on what could be causing this would be extremely helpful. The numbers are being generated correctly, so I'm not sure why the if operator isn't always working correctly.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I believe it is the "s around the 30.
Try
index="sandbox" sourcetype="AS-CDR"
|where Called_Number="2155551060" OR Calling_Number="2155551060" OR Called_Number="12155551060" OR Calling_Number="12155551060" OR Called_Number="+12155551060" OR Calling_Number="+12155551060"
|eval TimeToAnswer=strptime(Answer_Time, "%Y%m%d%H%M%S.%q") - strptime(Start_Time, "%Y%m%d%H%M%S.%q")
|eval TimeToAnswerTest=if((TimeToAnswer<30),1,0)
|table TimeToAnswer TimeToAnswerTest
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I believe it is the "s around the 30.
Try
index="sandbox" sourcetype="AS-CDR"
|where Called_Number="2155551060" OR Calling_Number="2155551060" OR Called_Number="12155551060" OR Calling_Number="12155551060" OR Called_Number="+12155551060" OR Calling_Number="+12155551060"
|eval TimeToAnswer=strptime(Answer_Time, "%Y%m%d%H%M%S.%q") - strptime(Start_Time, "%Y%m%d%H%M%S.%q")
|eval TimeToAnswerTest=if((TimeToAnswer<30),1,0)
|table TimeToAnswer TimeToAnswerTest
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The rule regarding strings vs numbers in quotes is true in most where and eval statements, but not in search statements.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm guessing that's the case, it certainly sounds sensible. I'm afraid I'm a newbie too though. FYI, those brackets around the test are also unnecessary.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That worked perfectly. When you use quotes, does splunk process the contents of the quotes as a string as opposed to an integer/float?
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
