Solved: Re: How to control values of a field relative to t...

HattrickNZ · ‎05-07-2015

I have this search, and this at least gives me some output but not as I would like.

index=_internal sourcetype="splunk_web_access" | timechart count(uri) | eval test=if(_time<="2015-04-29",450,600)

But what I want to do is be able to control the value of the test field relative to the _time field.
For instance, I would like test to be equal to 450 up to this date "2015-04-29" and then 600 afer that.
What is the corerct syntax to do this?

The output of my data looks something like this:

_time   count(uri)  test
2015-04-08  1   450
2015-04-09  1   450
2015-04-10  1   450
2015-04-11  0   450

ramdaspr · ‎05-07-2015

_time is actually a timestamp and not the %Y-%m-%d representation so if you do an

eval tcheck=strptime("2015-04-29","%F") | eval test=if(_time&lt;=tcheck,450,600)

and that should work

View solution in original post

ramdaspr · ‎05-07-2015

_time is actually a timestamp and not the %Y-%m-%d representation so if you do an

eval tcheck=strptime("2015-04-29","%F") | eval test=if(_time&lt;=tcheck,450,600)

and that should work

HattrickNZ · ‎05-07-2015

thank you!

How to control values of a field relative to the values in the _time field

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...