Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

using where and eval together to create a field based on conditions

HattrickNZ
Motivator
‎05-13-2015 08:02 PM

I have a search using the predict function

index=core eventtype="Device" DeviceName=Device1 earliest=-10d@d latest=+10d@d | timechart span=d max(ThrputMbps) as ThrputMbps | predict ThrputMbps as predict1 future_timespan=10 holdback=1 | eval LicLimit=410 | fields - upper* lower* | eval lic_hit=if(predic1>=LicLimit,0,500)

What I want to do is somehow capture where the licenc is being hit.

I was thinking of doing something like:

eval lic_hit=if(predic1>=LicLimit,0,500) -- 0 until it is hit and 500 there after

but I cant get this to work. I'm thinking I need a where but I am not sure of the syntax to do this, something like

where predict is >= to Liclimit, create a field called lic_hit from that point, else the field called lic_hit will be zero

PIC:
![alt text][1]

Tags (5)
Preview file
1 KB
Preview file
1 KB
0 Karma
Reply

vganjare
Builder
‎05-13-2015 10:27 PM

Hi,

Can you please validate is the predic1 is numeric? You can check it by command isnum.

Thanks!!

0 Karma
Reply

HattrickNZ
Motivator
‎05-14-2015 01:05 PM

Yes I thinkit is, if my understaning of the if function is right?

I added this to my search
...| | eval test=if(isnum(predict1),"T","F")

And this is a sample of the out put I get. 

_time   ThrputMbps  Limit   lic_hit     predict1    test
2015-05-05  367.79  410     500         F
2015-05-06  334.07  410     500         F
2015-05-07  377.12  410     500     300.35  T
2015-05-08  328.83  410     500     375.072319312   T
2015-05-09  312.21  410     500     333.495     T
2015-05-10
0 Karma
Reply

HattrickNZ
Motivator
‎05-14-2015 02:20 PM

..| eval lic_hit2=if(min(predict1)<max(hLicLimit),4502,5002) this works but is not what I want, but maybe this expains how the if function works.

what I want is if the value of predict1 is < LicLimit I want lic_hit to have a zero value for that row, else if the value of predict1 is => LicLimit I want lic_hit to have a zero value for that row

E.G.

 _time     ThrputMbps     Limit     lic_hit     predict1
 2015-05-05     367.79     290     0     289 
 2015-05-06     334.07     290     500     290
 2015-05-07     377.12     290     500     300.35     
 2015-05-08                     290     500     375.072319312     
 2015-05-09                     290     500     333.495
0 Karma
Reply

Arun_N_007
Communicator
‎05-19-2015 11:48 PM

Use,
|eval lic_hit = if(isnum(predict1),if(predict1<LicLimit,0,500),0)

Above command will make sure that if predicted value is not number it will assign 0 to lic_hit.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...