https://community.splunk.com/t5/Splunk-Search/How-to-chooose-one-value-based-on-applying-conditions-to-table/m-p/523127#M147547 <P>I have a table like below. Which plots different services under one column Service A (Subservices - A1 to A5) / Service B (Subservices - B1 to B5) .&nbsp; I need to take a new column denotes one Final Status like this if any of one Status is RED then the final status is RED, If there is no RED but one YELLOW And many GREEN then final status if YELLOW. What will be the best condition i can use to achieve the final one result</P><TABLE border="1" width="100%"><TBODY><TR><TD width="50%">Service</TD><TD width="50%">Status</TD></TR><TR><TD width="50%">A1</TD><TD width="50%">GREEN</TD></TR><TR><TD width="50%">A2</TD><TD width="50%">RED</TD></TR><TR><TD width="50%">A3</TD><TD width="50%">YELLOW</TD></TR><TR><TD width="50%">A4&nbsp;</TD><TD width="50%">GREEN</TD></TR><TR><TD width="50%">A5</TD><TD width="50%">GREEN</TD></TR></TBODY></TABLE> Tue, 06 Oct 2020 08:21:24 GMT Naga 2020-10-06T08:21:24Z https://community.splunk.com/t5/Splunk-Search/How-to-chooose-one-value-based-on-applying-conditions-to-table/m-p/523127#M147547 <P>I have a table like below. Which plots different services under one column Service A (Subservices - A1 to A5) / Service B (Subservices - B1 to B5) .&nbsp; I need to take a new column denotes one Final Status like this if any of one Status is RED then the final status is RED, If there is no RED but one YELLOW And many GREEN then final status if YELLOW. What will be the best condition i can use to achieve the final one result</P><TABLE border="1" width="100%"><TBODY><TR><TD width="50%">Service</TD><TD width="50%">Status</TD></TR><TR><TD width="50%">A1</TD><TD width="50%">GREEN</TD></TR><TR><TD width="50%">A2</TD><TD width="50%">RED</TD></TR><TR><TD width="50%">A3</TD><TD width="50%">YELLOW</TD></TR><TR><TD width="50%">A4&nbsp;</TD><TD width="50%">GREEN</TD></TR><TR><TD width="50%">A5</TD><TD width="50%">GREEN</TD></TR></TBODY></TABLE> Tue, 06 Oct 2020 08:21:24 GMT https://community.splunk.com/t5/Splunk-Search/How-to-chooose-one-value-based-on-applying-conditions-to-table/m-p/523127#M147547 Naga 2020-10-06T08:21:24Z https://community.splunk.com/t5/Splunk-Search/How-to-chooose-one-value-based-on-applying-conditions-to-table/m-p/523129#M147548 <P>Try</P><P>&nbsp;</P><LI-CODE lang="markup">|eventstats values(Status) as StatusList by Parent |eval FinalStatus=case(isnotnull(mvfind(StatusList,"RED")),"RED",isnotnull(mvfind(StatusList,"YELLOW")),"YELLOW",isnotnull(mvfind(StatusList,"GREEN")),"GREEN",1==1,"NA") |fields - StatusList</LI-CODE><P>&nbsp;</P><P>Here Parent is 'A'</P><P>Run anywhere example</P><P>&nbsp;</P><LI-CODE lang="markup">|makeresults|eval Service="A1 A2 A3 A4 A5"|makemv Service|mvexpand Service |appendcols [|makeresults | eval Status="GREEN RED YELLOW GREEN GREEN"|makemv Status|mvexpand Status] |table Service, Status |rex field=Service "(?&lt;Parent&gt;\D+)" |eventstats values(Status) as StatusList by Parent |eval FinalStatus=case(isnotnull(mvfind(StatusList,"RED")),"RED",isnotnull(mvfind(StatusList,"YELLOW")),"YELLOW",isnotnull(mvfind(StatusList,"GREEN")),"GREEN",1==1,"NA") |fields - StatusList</LI-CODE><P>&nbsp;</P><P>Parent extraction is a simple rex for this dummy data and you should change based on actual data</P><P>You can replace <STRONG><EM>eventstats </EM></STRONG>with <STRONG><EM>stats </EM></STRONG>if you want only one status per service</P> Tue, 06 Oct 2020 08:40:37 GMT https://community.splunk.com/t5/Splunk-Search/How-to-chooose-one-value-based-on-applying-conditions-to-table/m-p/523129#M147548 renjith_nair 2020-10-06T08:40:37Z