If the "delta_value" is more than 2 then I'd like to replace the value1 to "error"
Raw data
No, _time, value1, delta_value
1, 05/26/2017 06:32:50, 5.949602127, 0
2, 05/26/2017 06:32:55, 15.949602127, 10
3, 05/26/2017 06:33:00, 16.949602127, 1
4, 05/26/2017 06:33:05, 17.949602127, 1
Final result
No, _time, value1, delta_value
1, 05/26/2017 06:32:50, 5.949602127, 0
2, 05/26/2017 error, 15.949602127, 10
3, 05/26/2017 06:33:00, 16.949602127, 1
4, 05/26/2017 06:33:05, 17.949602127, 1
How to do it smart?
@syokota [Splunk], please pipe the following eval with case() to match required condition and set the values accordingly
<YourBaseSearch>
| eval value1=case(delta1>2,"error",true(),value1)
In your example you have applied error to _time value.
Following is the run anywhere search based on your data (I have not included No field.)
| makeresults
| eval data="05/26/2017 06:32:50,5.949602127,0;05/26/2017 06:32:55,15.949602127,10;05/26/2017 06:33:00,16.949602127,1;05/26/2017 06:33:05,17.949602127,1"
| makemv data delim=";"
| mvexpand data
| eval data=split(data,",")
| eval _time=mvindex(data,0)
| eval value1=mvindex(data,1)
| eval delta1=mvindex(data,2)
| table _time value1 delta1
| eval value1=case(delta1>2,"error",true(),value1)
Please try out and confirm.
I'm sorry to write down "Final result", correct image is below.
Final result
No, _time, value1, delta_value
1, 05/26/2017 06:32:50, 5.949602127, 0
2, 05/26/2017 06:32:55, error, 10
3, 05/26/2017 06:33:00, 16.949602127, 1
4, 05/26/2017 06:33:05, 17.949602127, 1
@syokota [Splunk], please pipe the following eval with case() to match required condition and set the values accordingly
<YourBaseSearch>
| eval value1=case(delta1>2,"error",true(),value1)
In your example you have applied error to _time value.
Following is the run anywhere search based on your data (I have not included No field.)
| makeresults
| eval data="05/26/2017 06:32:50,5.949602127,0;05/26/2017 06:32:55,15.949602127,10;05/26/2017 06:33:00,16.949602127,1;05/26/2017 06:33:05,17.949602127,1"
| makemv data delim=";"
| mvexpand data
| eval data=split(data,",")
| eval _time=mvindex(data,0)
| eval value1=mvindex(data,1)
| eval delta1=mvindex(data,2)
| table _time value1 delta1
| eval value1=case(delta1>2,"error",true(),value1)
Please try out and confirm.
Thank you everyone!
I did it using below command.
|eval value1 = case(delta1="error","error",1=1,"unknown")
niketnilay beat me to it, so since I already thougth it through, you can also use "if"
<base search> | eval value1=if(delta_value>2,"error",value1)
While if()
is a hammer (you might hit a nail ;), see case()
as a nail gun.
Because it will handle each possible case of key value if you add a default group like this:
eval value1=case(delta1>2,"error",true(),value1,1=1,"unknown")
if nothing matches the case()
you will still have the field value1="unknown"
. An if()
would leave you empty in this case ...
cheers, MuS
@Mus, thanks for the perfect analogy, however, the true()
condition in my case statement is same as 1=1
. To me it made sense to include just two blocks i.e. "error" if value1 is greater than 2 and for everything else value1, i.e. for all number <=
2 and also non numeric fields it will show the value as is.
Indeed the true()
is always true 😉
The reason why I usually try to match as much as possible in the case()
and use the catch all 1=1, "unknown"
as last, is that you can then run a search to find any unknown
values and fix them.
A search example would be this:
| makeresults
| eval boo="2", foo=case(boo=1, boo, 1=1, "unknown")
| transpose
| search "row 1"="unknown"
| stats count values("row 1") AS value by column
| rename column AS fieldname
Agree. Same here 🙂