https://community.splunk.com/t5/Splunk-Search/Looping-if-condition-in-for-loop-and-display-different-tables/m-p/245550#M73185 <P>I have a table with 10 records. 2 rows for each host - say AUX0001 to AUX0005. For each host, 2 processes occur: the status and time range. AUX0001 disp.exe abcded green running , AUX0001 wxze.exe red running. In this way it is present for all the hosts.. <BR /> My requirement - if both processes are green, host should display only once for disp.exe. if both are red, then both processes should be displayed. If one is green and one is red , it should be red with that process name be it disp.exe or wxze.exe. This looks simple. but unable to achieve this. </P> <P>I tried several ways - Should i have to loop for each host? I'm not getting the desired result.</P> <PRE><CODE>index="xxx" sourcetype="yy" |fields name description dispstatus textstatus starttime elapsedtime pid source|eval host_source = mvindex(split(source,"\\"),5)|eventstats count(eval(dispstatus="Green")) as green_count count(eval(dispstatus="Red")) as red_count by host_source|eval desc_test = case(green_count ==2 OR red_count ==2,"Dispatcher", red_count ==1 AND description="watchdog" ,"watch", red_count ==1 AND description=" Dispatcher " ," Dispatcher ")|table host_source description dispstatus desc_test|where description=desc_test </CODE></PRE> <P>Can someone please help me here? Thanks a lot</P> Sun, 22 Jan 2017 03:52:36 GMT k_harini 2017-01-22T03:52:36Z https://community.splunk.com/t5/Splunk-Search/Looping-if-condition-in-for-loop-and-display-different-tables/m-p/245550#M73185 <P>I have a table with 10 records. 2 rows for each host - say AUX0001 to AUX0005. For each host, 2 processes occur: the status and time range. AUX0001 disp.exe abcded green running , AUX0001 wxze.exe red running. In this way it is present for all the hosts.. <BR /> My requirement - if both processes are green, host should display only once for disp.exe. if both are red, then both processes should be displayed. If one is green and one is red , it should be red with that process name be it disp.exe or wxze.exe. This looks simple. but unable to achieve this. </P> <P>I tried several ways - Should i have to loop for each host? I'm not getting the desired result.</P> <PRE><CODE>index="xxx" sourcetype="yy" |fields name description dispstatus textstatus starttime elapsedtime pid source|eval host_source = mvindex(split(source,"\\"),5)|eventstats count(eval(dispstatus="Green")) as green_count count(eval(dispstatus="Red")) as red_count by host_source|eval desc_test = case(green_count ==2 OR red_count ==2,"Dispatcher", red_count ==1 AND description="watchdog" ,"watch", red_count ==1 AND description=" Dispatcher " ," Dispatcher ")|table host_source description dispstatus desc_test|where description=desc_test </CODE></PRE> <P>Can someone please help me here? Thanks a lot</P> Sun, 22 Jan 2017 03:52:36 GMT https://community.splunk.com/t5/Splunk-Search/Looping-if-condition-in-for-loop-and-display-different-tables/m-p/245550#M73185 k_harini 2017-01-22T03:52:36Z https://community.splunk.com/t5/Splunk-Search/Looping-if-condition-in-for-loop-and-display-different-tables/m-p/245551#M73186 <PRE><CODE>STATUS DISPLAY DISP WATCH DISP WATCH GREEN GREEN GREEN GREEN RED RED RED GREEN RED RED RED RED RED </CODE></PRE> <P>okay, if either process is red, then that process should display. On the other hand, if both processes are green, then DISP should show green.</P> <P>Try this for test code - </P> <PRE><CODE>index="xxx" sourcetype="yy" | fields name description dispstatus textstatus starttime elapsedtime pid source | eval host_source = mvindex(split(source,"\\"),5) | eventstats count(eval(dispstatus="Green")) as green_count by host_source | eval desc_test = If( (dispstatus="Red") OR (green_count==2 AND description=" Dispatcher "),"Pass","Block") | table host_source description dispstatus desc_test | sort 0 host_source description </CODE></PRE> <P>If those results seem right, then use this for the actual code</P> <PRE><CODE>index="xxx" sourcetype="yy" | fields name description dispstatus textstatus starttime elapsedtime pid source | eval host_source = mvindex(split(source,"\\"),5) | eventstats count(eval(dispstatus="Green")) as green_count by host_source | search (dispstatus="Red") OR (green_count==2 AND description=" Dispatcher ") | table host_source description dispstatus | sort 0 host_source description </CODE></PRE> Sun, 22 Jan 2017 04:27:49 GMT https://community.splunk.com/t5/Splunk-Search/Looping-if-condition-in-for-loop-and-display-different-tables/m-p/245551#M73186 DalJeanis 2017-01-22T04:27:49Z https://community.splunk.com/t5/Splunk-Search/Looping-if-condition-in-for-loop-and-display-different-tables/m-p/245552#M73187 <P>Thanks so much for your response.. I tried this.. it worked.. instead of green_count = 2 , I gave dispstatus = green, 1 green process also got displayed along with red ones.. Thanks a lot.. I got confused.. </P> Sun, 22 Jan 2017 10:31:43 GMT https://community.splunk.com/t5/Splunk-Search/Looping-if-condition-in-for-loop-and-display-different-tables/m-p/245552#M73187 k_harini 2017-01-22T10:31:43Z https://community.splunk.com/t5/Splunk-Search/Looping-if-condition-in-for-loop-and-display-different-tables/m-p/245553#M73188 <P>You're welcome. </P> <P>The little results chart I made helped me simplify the question. There was only one condition that ever showed green (green==2), so from there it was easy. </P> Mon, 23 Jan 2017 14:49:37 GMT https://community.splunk.com/t5/Splunk-Search/Looping-if-condition-in-for-loop-and-display-different-tables/m-p/245553#M73188 DalJeanis 2017-01-23T14:49:37Z