Splunk Search

How to create an If/Else statement inside an eval statement?

tonahoyos
Explorer

Hello All,

I am running the following search:

index="ledata_2017" NOT Project="60*"
| stats sum(ActualPTDCostsAMT) , sum(LEThisMthCostsAMT) 
| eval ActualTotal=-ActualTotal, LETotal=-LETotal, n=max(1,2,3,4,5,6,7,8,9,10,11,0,MonthNum)
| eval YTDAvg=(ActualTotal/n), YTGAvg=(LETotal-ActualTotal)/(15-n)
| table Project,Ratio,Number

I want to be able to include an if-else statement inside line 4, where I can indicate:

If projectA, then 14-n
else if projectB then n-3,
else if 15-n (for the rest of the projects) 

Is this possible?

Thank you all!

0 Karma
1 Solution

niketn
Legend

@tonahoyos, you ca try the following, however keep in mind the following:

1) All fields to be used after the stats pipe must be included in the stats command like Project MonthNum etc.
2) Project!="60*" and NOT Project="60*" are different. Make sure you use correct one in your base search.
3) Ratio and Number fields in the final table pipe are not calculated in previous pipes.

index="ledata_2017" Project!="60*"
| stats sum(ActualPTDCostsAMT) as ActualTotal , sum(LEThisMthCostsAMT) as LETotal by Project MonthNum
| eval ActualTotal=-ActualTotal, LETotal=-LETotal, n=max(1,2,3,4,5,6,7,8,9,10,11,0,MonthNum)
| eval divisor = case(Project=="projectA",14-n,Project=="projectB",n-3,true(),15-n)
| eval YTDAvg=(ActualTotal/n), YTGAvg=(LETotal-ActualTotal)/divisor

Following is the run anywhere search based on Splunk's _internal index on similar lines as per the question:

index="_internal" log_level!="INFO"
| stats sum(date_second) as ActualTotal , sum(date_hour) as LETotal by log_level date_month
| eval ActualTotal=-ActualTotal, LETotal=-LETotal, n=max(1,2,3,4,5,6,7,8,9,10,11,0,date_mday)
| eval divisor = case(log_level=="ERROR",14-n,log_level=="WARN",n-3,true(),15-n)
| eval YTDAvg=(ActualTotal/n), YTGAvg=(LETotal-ActualTotal)/divisor
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

niketn
Legend

@tonahoyos, you ca try the following, however keep in mind the following:

1) All fields to be used after the stats pipe must be included in the stats command like Project MonthNum etc.
2) Project!="60*" and NOT Project="60*" are different. Make sure you use correct one in your base search.
3) Ratio and Number fields in the final table pipe are not calculated in previous pipes.

index="ledata_2017" Project!="60*"
| stats sum(ActualPTDCostsAMT) as ActualTotal , sum(LEThisMthCostsAMT) as LETotal by Project MonthNum
| eval ActualTotal=-ActualTotal, LETotal=-LETotal, n=max(1,2,3,4,5,6,7,8,9,10,11,0,MonthNum)
| eval divisor = case(Project=="projectA",14-n,Project=="projectB",n-3,true(),15-n)
| eval YTDAvg=(ActualTotal/n), YTGAvg=(LETotal-ActualTotal)/divisor

Following is the run anywhere search based on Splunk's _internal index on similar lines as per the question:

index="_internal" log_level!="INFO"
| stats sum(date_second) as ActualTotal , sum(date_hour) as LETotal by log_level date_month
| eval ActualTotal=-ActualTotal, LETotal=-LETotal, n=max(1,2,3,4,5,6,7,8,9,10,11,0,date_mday)
| eval divisor = case(log_level=="ERROR",14-n,log_level=="WARN",n-3,true(),15-n)
| eval YTDAvg=(ActualTotal/n), YTGAvg=(LETotal-ActualTotal)/divisor
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

tonahoyos
Explorer

This is how I included your recommendation, thank you! I will double check my results and see if there is anything wrong. Let me know if you see any inconsistencies in the code. Thanks again!

| stats sum(ActualPTDCostsAMT) as ActualTotal, sum(LEThisMthCostsAMT) as LETotal by Project
| eval ActualTotal=-ActualTotal, LETotal=-LETotal, n=max(1,2,3,4,5,6,7,8,9,10,11,0,MonthNum)
| eval divisor1= case(Project=="1405688",14-n, true(),15-n),
divisor2= case(Project=="1408525",n-3,Project=="1410522",n-4,Project=="1404501",n-4,

Project=="1409599",n-3, true(),n)
| eval YTDAvg=(ActualTotal/divisor2), YTGAvg=(LETotal-ActualTotal)/divisor1
| eval Ratio=YTGAvg/YTDAvg
| eval Number=1
| table Project,Ratio,Number

niketn
Legend

@tonahoyos, slight correction in your stats command | stats .... by Project MonthNum, since MonthNum is used in deciding n in subsequent eval. I think rest looks fine. Let us know if anything does not work!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

tonahoyos
Explorer

Thank you! Everything is acting well, so far!

0 Karma

493669
Super Champion

You can use case statement:

|eval fieldA = case(Project=="projectA","14-n",Project=="projectB","n-3",1==1,"15-n")

now fieldA has required output ...You can use as per requirement

0 Karma

tonahoyos
Explorer

What does the 1==1 do?

0 Karma

493669
Super Champion

if it does not match first two conditions then else condition is specified by 1==1

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...