Splunk Search

Conditional Statements

MHibbin
Influencer

Hi Splunkbase,

I was wondering if someone would be able to assist with a problem that I am trying to get my head around, I am not able to get the desired results. Here is my problem...

Say I have some events, for example:

Device Location Result
a123   loc1     0  
b123   loc1     100
c123   loc1     0
----   ----     ------
a456   loc2     0
b456   loc2     0

I would like to group these devices by location, and then output a value dependant on the following condition... If for any device in a single location, the result is "100" then the output value for the whole location (new field) will be 100, or if all the devices in a single location have a result of "0" then I would like to output 0 to the new field.

So my expected results would be something like:

Location Result
loc1     100
loc2     0

Or something to that effect.

Any thoughts/suggestions.

Regards,

Matt

Tags (3)
0 Karma
1 Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee

Your best bet is to use stats. Here you may want to use max() as an aggregator.

For example, append to your search:

| stats max(Result) as Result by Location

You can always use eval. For example, if you only care about Result being exactly 100:

| stats max(eval(if(Result==100, 100, 0))) as Result by Location

View solution in original post

Stephen_Sorkin
Splunk Employee
Splunk Employee

Your best bet is to use stats. Here you may want to use max() as an aggregator.

For example, append to your search:

| stats max(Result) as Result by Location

You can always use eval. For example, if you only care about Result being exactly 100:

| stats max(eval(if(Result==100, 100, 0))) as Result by Location

MHibbin
Influencer

Ha! Always the simplest solution that I overlooked!

Thanks.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...