several if-else

  • 22 March 2024
  • 3 replies

Hi everyone, i have a issue:

I am writing a query. My query contains more than one if-else. However, because there are too many if-else, it does not return any result and gets stuck in “searching”. I wonder if there is a limit for else-if? If there is a small amount of else-if, it works, the query works, but if there is too much, unfortunately it doesn't work. I need help with this!!! since the values corresponding to each condition are different, I should use the else-if structure. I am open to different solution methods by the way.

The query I wrote is as follows (here I just wanted to draw attention to the amount of else-if)

I also get the following error: “No Response from server”

| process eval("
foo=if(alert=='xyz1') {return 1.2}
else-if(alert=='xyz2') {return 1.0}
else-if(alert=='xyz3') {return 1.21}
else-if(alert=='xyz4') {return 1.2}
else-if(alert=='xyz5') {return 1.29}
else-if(alert=='xyz6') {return 1.25}
else-if(alert=='xyz7') {return 1.29}
else-if(alert=='xyz8') {return 1.200}
else-if(alert=='xyz9') {return 1.24}
else-if(alert=='xyz10') {return 1.25}
else-if(alert=='xyz11') {return 2.2}
else-if(alert=='xyz12') {return 0.2}
else-if(alert=='xyz13') {return 13.2}
else-if(alert=='xyz14') {return 1.2}
else-if(alert=='xyz15') {return 5.2}
else-if(alert=='xyz16') {return 9.2}
else-if(alert=='xyz16') {return 55.2}
else-if(alert=='xyz17') {return 9.2}
else-if(alert=='xyz18') {return 6.2}
else-if(alert=='xyz19') {return 10.2}
else-if(alert=='xyz20') {return 18.2}
else-if(alert=='xyz21') {return 19.2}
else-if(alert=='xyz22') {return 9.2}
else-if(alert=='xyz23') {return 71.2}
else-if(alert=='xyz24') {return 19.2}
else-if(alert=='xyz25') {return 16.2}
else-if(alert=='xyz26') {return 9.2}
else-if(alert=='xyz27') {return 41.2}
else-if(alert=='xyz28') {return 18.2}
else-if(alert=='xyz29') {return 19.2}
else-if(alert=='xyz30') {return 121.2}
else-if(alert=='xyz31') {return 1.221}
else-if(alert=='xyz32') {return 11.2}
else-if(alert=='xyz33') {return 156.2}
else-if(alert=='xyz34') {return 15.2}
else-if(alert=='xyz35') {return 12.2}
else-if(alert=='xyz36') {return 1.2}
else-if(alert=='xyz37') {return 1.2}
else-if(alert=='xyz38') {return 15.2}
else-if(alert=='xyz39') {return 1.2}
else-if(alert=='xyz40') {return 15.2}
else-if(alert=='xyz41') {return 16.2}
else-if(alert=='xyz42') {return 19.2}
" )

| timechart count(alert) as cnt by alert, foo every 1 day
| timechart sum(foo*cnt) as t1, sum(cnt) as num every 1 day
| timechart sum(t1/num) as risk every 1 day

3 replies

Userlevel 4
Badge +7

I wasn’t aware of a limit to the number of eval command parameters, but it looks like you found it.

If I understand what you’re doing correctly, this looks to be like another example of an enrichment table and a lookup command being a better way of achieving what you need.

I.e. create a table with columns “alert, foo” and then “xyz1, 1.2”, “xyz2, 1.0” etc.

And then simply use | process lookup(tablename, alert), and the foo field should be enriched.

Yes, you are right, that's exactly what I'm trying to do. Another colleague suggested the solution you mentioned. I'll apply it. It's very likely the definitive solution. But it was still important for me to understand that there was such a limit. I will write again as soon as I get it done. Thank you very much for the answer

As a result: as you mentioned above, by doing | process lookup(table,alert), you get rid of too many else-if structures in the query and in this way LogPoint is not loaded. I solved the problem by doing Enrichment. I also created a support ticket. As a solution, when I added the "limit_request_line = 8100" section in ConfigFile, the problem was solved.