topic Rag status using if/case in Splunk Search

Rag status using if/case

codedtech — Wed, 02 Sep 2020 12:52:44 GMT

Hello Everyone,

I have a really simple question but I can'f figure it out for the life of me. I have a query set up that gives me the utilization of an array, and I want to have a text based field for its RAG status. This is what I'm using

| eval RAG=(Class='DB' AND Utilization >= 62, "Red", Utilization >= 50, "Yellow", Utilization < 40, "Green")

I've tried to run it and I keep getting the eval statement is malformed error. Any help you can give would be appreciated.

Re: Rag status using if/case

richgalloway — Wed, 02 Sep 2020 13:04:56 GMT

It looks like you're trying to use a case statement without including the "case" keyword.

Re: Rag status using if/case

Nisha18789 — Wed, 02 Sep 2020 13:08:10 GMT

hi @codedtech , try this

| eval RAG=case(Class='DB' AND Utilization >= 62, "Red", Utilization >= 50, "Yellow", Utilization < 40, "Green",1=1,"Unmatched")

Re: Rag status using if/case

codedtech — Wed, 02 Sep 2020 15:11:05 GMT

@Nisha18789 Thank you so much, that helped a ton. My next question is how do I get it to build off a list for all of these?

class	Green	Yellow	Red
DB	<60.0	>=68.0	>=75.0
WEB	<55.0	>=63.0	>=93.0
APP	<50.0	>=80.0	>=90.0
ZFS	<45.0	>=66.0	>=85.0

Re: Rag status using if/case

Nisha18789 — Wed, 02 Sep 2020 23:40:27 GMT

Hi @codedtech you can use chart command as below after the case statement, in place of values() function you can use any other function that suits your requirement.

| chart values(utilization) over RAG by Class

hope this helps, please upvote or mark my previous post as solution is that answered your original question.

Re: Rag status using if/case

laurag — Mon, 07 Sep 2020 16:05:36 GMT

I am also trying to classify a RAG status which has different RAG cut-offs per "Class" such as displayed in the table from @codedtech , would each rule need to be stated in the "case" statement before using the chart command?