Case conidtion on the searches

xiaoyuew · ‎12-19-2011

My logs contain a field "A", i need to calculate a new field "B" based on the SLOT,
when A=a1 OR A=a2, THEN B=avg of these 2 types of searches
when A=a3 OR A=a4 or A=a5, Then B =avg of these 3 types of searches
when A=a6 OR A=a7 , Then B =avg of these 2 types of searches
...

How should i do this? Thanks.

xiaoyuew · ‎12-20-2011

@Ayn

for example, i have the following 7 logs,

2011-DEC-17 slotid="Location-Maps-US-Sunnyvale" delta_msec="1487" seq="3"

2011-DEC-17 slotid="Location-Maps-US-MountainView" delta_msec="1445" seq="2"

2011-DEC-17 slotid="Location-Maps-US-SF" delta_msec="1465" seq="2"

2011-DEC-17 slotid="Location-Store-CA-MountainView" delta_msec="1445" seq="2"

2011-DEC-17 slotid="Location-Store-CA-SF" delta_msec="1245" seq="2"

2011-DEC-17 slotid="Location-Msg-CA-MountainView" delta_msec="1445" seq="2"

2011-DEC-17 slotid="Location-Msg-CA-SF" delta_msec="1245" seq="2"

i want to calculate a new field(avg_msec) based on the "slotid":
we would like to calculate an average for all logs matching "Location-Maps"
we would like to calculate an average for all logs matching "Location-Store"
we would like to calculate an average for all logs matching "Location-Msg"

Ayn · ‎12-20-2011

You should provide some more details on the searches to get real useful responses, however I imagine you will want to have a look at eval and its function case which handles precisely what it says. http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions

Case conidtion on the searches

Index This | Forward, I’m heavy; backward, I’m not. What am I?

A Guide To Cloud Migration Success

Join Us for Splunk University and Get Your Bootcamp Game On!