topic Re: How to pick the status what i wish to in Splunk Search

How to pick the status what i wish to

pench2k19 — Thu, 27 Feb 2020 14:22:28 GMT

I have table with 3 field values as follows

SOR Datafeed Status
1art xxx Met SLA
1art yyy Missed SLA
1art zzz Met SLA

Now i would like to consider status of SOR as Missed SLA if it has one single status as Missed SLA , and alo there is come cases where i dont see Missed SLA status in that case it has be calculated as Met SLA.

Can you please help me guys

Re: How to pick the status what i wish to

kamlesh_vaghela — Fri, 28 Feb 2020 11:13:25 GMT

@pench2k19

Can you please share your sample search, data and expected output from that data?

Re: How to pick the status what i wish to

nickhills — Fri, 28 Feb 2020 11:23:39 GMT

Hi @pench2k19

cases where i dont see Missed SLA status in that case it has be calculated as Met SLA

You can do this with a eval Status=if(blah) but coalesce() is a good fit here

your search|eval Status=coalesce(Status,"Met SLA")

The first part of your question I'm not 100% sure what you mean...

Do you mean: "if any value of SOR, has a status of Missed SLA, then display it in the table"?
in which case something like this should work:

your search|eval Status=coalesce(Status,"Met SLA")|where Status="Missed SLA"

It might help if you can share some of your search, or rephrase the question.

Re: How to pick the status what i wish to

pench2k19 — Mon, 02 Mar 2020 12:09:25 GMT

@nickhillscpl thanks for the comment.

I have few data feeds that share common SOR name. For example if any ONE data feed have status as Missed SLA , I want to calculate that whold SOR that data feeds belongs to as Missed SLA.

If all of the datafeeds have Met SLA , i want to calculate that SOR as Met SLA.

Re: How to pick the status what i wish to

nickhills — Mon, 02 Mar 2020 12:20:22 GMT

Ok, so there are a few ways I can think of, but building on my previous answer..

If you sorted 'Status' in z-a order, you could then dedup each SOR. This would give you one row for each SOR, and would show the "Missed SLA" value if one existed. If no SLA's were missed, you would get a table of "Met SLA"

<your search>
|eval Status=coalesce(Status,"Met SLA")
|sort - Status
|dedup SOR
|table SOR Status

Re: How to pick the status what i wish to

pench2k19 — Wed, 30 Sep 2020 04:26:37 GMT

@kamlesh_vaghela here is the query i am using, But this is not working as expected

Re: How to pick the status what i wish to

pench2k19 — Wed, 30 Sep 2020 04:26:40 GMT

@nickhills i can not apply dedup SOR as it nullifying all other results for other dates as well, following is there what i have developed so far, but its not working as expected.

Re: How to pick the status what i wish to

nickhills — Mon, 02 Mar 2020 13:09:34 GMT

Try this:

|inputlookup MBDA_SLA_stats.csv
| dedup SOR feed timestamp
| eval status=if(timestamp_epoch>Expected_time_epoch,"Missed SLA","Met SLA")
|eval status=coalesce(status,"Met SLA")
|sort - status
|dedup SOR
| chart last(status) by Business_Date SOR useother=f limit=50 | fillnull value="Not Run"
|sort - Business_Date
|rename Business_Date as "Business Date"

I'd be tempted to remove the double dedup, but since this is coming from a lookup the performance impact is likely negligible.

Re: How to pick the status what i wish to

pench2k19 — Tue, 03 Mar 2020 15:18:54 GMT

its not working as expected.

Re: How to pick the status what i wish to

nickhills — Tue, 03 Mar 2020 15:29:08 GMT

in what way?