Hi,
How can I use a combination of an IF statement along with AND.
I'm looking to run a count whereby IF the _hour is greater than a certain time, AND a server name matches a list, dont include the server in the results.
I have something like this;
mysearch...
| eval hour=tonumber(strftime(_time,"%H"))
| if(hour>2 AND NOT (dest="server1" OR dest="server2" OR dest="server3"))
| stats count by _time, hour, dest, status
Essentially I dont want to include results of a server between certain hours.
Any ideas? Thanks.
You are confusing two constructs...
| eval foo=if(bar=2,"value1",field2)
...and...
| where ((bar=2) AND (foo=field2))
...or possibly...
| search ((bar=2) AND (foo="value2"))
Remember that search
does not "dereference" the value on the right of the equals sign... it assumes that the thing on the right is a literal or a constant of some sort, as opposed to a field name.
Hey @jacqu3sy, if they solved your problem, please remember to "accept" an answer to award karma points and to close the question. You can upvote answers and comments too! All actions award karma points. 🙂
You are confusing two constructs...
| eval foo=if(bar=2,"value1",field2)
...and...
| where ((bar=2) AND (foo=field2))
...or possibly...
| search ((bar=2) AND (foo="value2"))
Remember that search
does not "dereference" the value on the right of the equals sign... it assumes that the thing on the right is a literal or a constant of some sort, as opposed to a field name.
Something like this you mean?
| eval suppress=if((hour > 2 and hour < 4 AND (dest="x.x.x.x")"yes","no"))
| where suppress="no"
the following worked, thanks for pointing in the right direction:
| eval suppress=if((hour >=10 AND hour <=13) AND (dest="x.x.x.x"),"yes", "no")
| where suppress="no"
@jacqu3sy - You can do it in one step...
| where NOT ((hour >=10 AND hour <=13) AND (dest="x.x.x.x"))
...or...
| where hour<10 OR hour>13 OR dest!="x.x.x.x"
I kind of follow, but I'm not sure how I would use this in the example I have.
Try this!
(your search) date_hour>2 NOT (dest="server1" OR dest="server2" OR dest="server3")
| stats count by date_hour, dest, status
| eval hour=tonumber(strftime(_time,"%H"))
↓
date_hour
Sorry, but I dont follow this. surely this query would ignore anything that occurs before 2? I only want it to ignore results before 2 when it matches a specific server name.
So I need to produce results ONLY if the hour is greater than 2 AND not a certain server. If the hour is less than 2 but a differant server than that listed in the query, I still need to see the results.
as a quick note, strftime(_time,"%H")
can be different than date_hour
when the user is set to a different time zone than the data. strftime(_time,"%H")
will put the calculate the hour for the time zone the user is in and date_hour
will be the hour the data says.
For instance. if a user is set to be in Central time and data is coming from Pacific time, strftime(_time,"%H")
will create a value of 4 and date_hour will have a value of 2.
Thank you for your help.