Splunk Search

How can I use a combination of an IF statement along with AND?

jacqu3sy
Path Finder

Hi,

How can I use a combination of an IF statement along with AND.

I'm looking to run a count whereby IF the _hour is greater than a certain time, AND a server name matches a list, dont include the server in the results.

I have something like this;

mysearch...
| eval hour=tonumber(strftime(_time,"%H"))
| if(hour>2 AND NOT (dest="server1" OR dest="server2" OR dest="server3"))
| stats count by _time, hour, dest, status

Essentially I dont want to include results of a server between certain hours.

Any ideas? Thanks.

Tags (1)
0 Karma
1 Solution

DalJeanis
SplunkTrust
SplunkTrust

You are confusing two constructs...

| eval foo=if(bar=2,"value1",field2)

...and...

| where ((bar=2) AND (foo=field2))

...or possibly...

| search ((bar=2) AND (foo="value2"))

Remember that search does not "dereference" the value on the right of the equals sign... it assumes that the thing on the right is a literal or a constant of some sort, as opposed to a field name.

View solution in original post

0 Karma

lfedak_splunk
Splunk Employee
Splunk Employee

Hey @jacqu3sy, if they solved your problem, please remember to "accept" an answer to award karma points and to close the question. You can upvote answers and comments too! All actions award karma points. 🙂

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

You are confusing two constructs...

| eval foo=if(bar=2,"value1",field2)

...and...

| where ((bar=2) AND (foo=field2))

...or possibly...

| search ((bar=2) AND (foo="value2"))

Remember that search does not "dereference" the value on the right of the equals sign... it assumes that the thing on the right is a literal or a constant of some sort, as opposed to a field name.

0 Karma

jacqu3sy
Path Finder

Something like this you mean?

| eval suppress=if((hour > 2 and hour < 4 AND (dest="x.x.x.x")"yes","no"))
| where suppress="no"

0 Karma

jacqu3sy
Path Finder

the following worked, thanks for pointing in the right direction:

| eval suppress=if((hour >=10 AND hour <=13) AND (dest="x.x.x.x"),"yes", "no")
| where suppress="no"

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

@jacqu3sy - You can do it in one step...

| where NOT ((hour >=10 AND hour <=13) AND (dest="x.x.x.x"))

...or...

| where hour<10 OR hour>13 OR dest!="x.x.x.x" 
0 Karma

jacqu3sy
Path Finder

I kind of follow, but I'm not sure how I would use this in the example I have.

0 Karma

HiroshiSatoh
Champion

Try this!

(your search) date_hour>2  NOT (dest="server1" OR dest="server2" OR dest="server3")
| stats count by date_hour, dest, status

| eval hour=tonumber(strftime(_time,"%H"))

date_hour

jacqu3sy
Path Finder

Sorry, but I dont follow this. surely this query would ignore anything that occurs before 2? I only want it to ignore results before 2 when it matches a specific server name.

So I need to produce results ONLY if the hour is greater than 2 AND not a certain server. If the hour is less than 2 but a differant server than that listed in the query, I still need to see the results.

0 Karma

cmerriman
Super Champion

as a quick note, strftime(_time,"%H") can be different than date_hour when the user is set to a different time zone than the data. strftime(_time,"%H") will put the calculate the hour for the time zone the user is in and date_hour will be the hour the data says.

For instance. if a user is set to be in Central time and data is coming from Pacific time, strftime(_time,"%H") will create a value of 4 and date_hour will have a value of 2.

0 Karma

HiroshiSatoh
Champion

Thank you for your help.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...