newspaint

Documenting Problems That Were Difficult To Find The Answer To

If With Multiple Conditions in Splunk Eval

A common task one desires to do with the if() command in Splunk is to perform multiple tests. Unfortunately this is very poorly documented on the Splunk website.

You can use the AND and OR keywords (as opposed to the && or || you might have expected).

e.g.:

index=os sourcetype=ps host=myhost01
  |rex field=CPUTIME "^((?\d+)-)?(?\d\d):(?\d\d):(?\d\d)$"
  |eval cpusec=if( isnum(c_days), c_days, 0)*24*3600 + (c_hours*3600) + (c_mins*60) + c_secs
  |eval aa_inrange=if( (cpusec>1000) AND (cpusec<2000), 1, 0 )
  |search aa_inrange=1

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: