topic Re: Create static fields after matching the field value in Splunk Search

Create static fields after matching the field value

RSS_STT — Thu, 29 Aug 2024 14:52:20 GMT

I want to create one static field by looking status value = Issue

host	m_nname	status
A	cpu	Ok
B	disk	Ok
C	memory	Issue
D	netwok	Ok
E	storage	Issue

Issue found in status column few field heath created with Bad value.

Like below.

host	m_nname	status	Health
A	cpu	Ok	Bad
B	disk	Ok	Bad
C	memory	Issue	Bad
D	netwok	Ok	Bad
E	storage	Issue	Bad

Re: Create static fields after matching the field value

richgalloway — Thu, 29 Aug 2024 18:53:14 GMT

Use the eval command to create a field.

| eval Health = if(status="Issue", "Bad", "Ok")

Re: Create static fields after matching the field value

ITWhisperer — Thu, 29 Aug 2024 18:58:27 GMT

Are you saying that you want a health field that has "Bad" in for all the events if any of the events have status="Issue"?

Re: Create static fields after matching the field value

PickleRick — Thu, 29 Aug 2024 19:59:14 GMT

It's not clear how the health field is calculated. One way is what @ITWhisperer showed but it won't match your mockup results - you have health=bad all acros the board.

Re: Create static fields after matching the field value

RSS_STT — Fri, 30 Aug 2024 06:05:25 GMT

Yes, Your understanding is correct.

Re: Create static fields after matching the field value

ITWhisperer — Fri, 30 Aug 2024 06:53:41 GMT

| eventstats values(eval(if(status="Issue","Bad",null()))) as Health

Re: Create static fields after matching the field value

RSS_STT — Mon, 02 Sep 2024 09:41:15 GMT

It's missing the fields value if all Ok.

I need Health field to be populated with Ok if all status field have all Ok value.

Re: Create static fields after matching the field value

ITWhisperer — Mon, 02 Sep 2024 10:11:55 GMT

| eventstats values(eval(if(status="Issue","Bad",null()))) as Health | fillnull value="Ok" Health