- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Nested IF Structure - Assign Values
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
We have a nested IF structure and we want to use it to assign a value to a field called PenaltyPoints1
Firstly it checks to see if the current time meets the required minimum time, if that's true then it should search for the phrase "End Program" and if it finds it, PenaltyPoints1 should be set a value of 0, if it cannot find it, then it should be assigned a value of 100.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Mark,
so the final solution is
...| eval PenaltyPoints=if(<time> < <timelimit> ,if(match(_raw,".*End Program.*"), "0","100"), " ")
of course time and timelimit are just placeholders
Fritz
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Mark,
so the final solution is
...| eval PenaltyPoints=if(<time> < <timelimit> ,if(match(_raw,".*End Program.*"), "0","100"), " ")
of course time and timelimit are just placeholders
Fritz
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you can nest ifs just like any other function, e.g.
...| eval PenatlyPoints=if(<time> < <timelimit> ,if(match(<field>,".*"End Program.*"), "1","100"), " ")
see also http://docs.splunk.com/Documentation/Splunk/6.1.5/SearchReference/CommonEvalFunctions
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi FritzWittwer,
Unfortunately, the "End Program" isn't in a field, it's in the content of the Event.
Thanks for the quick response.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It also appears to error with "Unbalanced Quotes", can you use "event" as a field? Also, Could you explain the match(field, "."End Program." as it seems to me you're searching for "End Program" as opposed to End Program
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Mark,
it had a typo, the double quote in front of End was superfluous
...| eval PenatlyPoints=if(<time> < <timelimit> ,if(match(_raw,".*End Program.*"), "1","100"), " ")
sorry for the confusion.
The match function returns true only if the filed contains a value which is matched by the regular expression, in the example above it will be true if the string End Program is found somewhere in the field _raw (the complete event)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi FtizWittwer, Don't suppose you know anything about eventstats.
http://answers.splunk.com/answers/208180/eventstats-count-function.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi FritzWittwer,
Thanks for that, I've changed the 1 to a 0 as they should not receive any penaltypoints for finishing the job at the right time.
I'll mark it as the answer now, but first would you mind converting your comment to an answer?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Mark,
in this case you can just use the filed named _raw this contains the whole raw event data.
Fritz
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
