Conflicting multiple values using eval command


Hello Guys,

What I'm trying to achieve is that show all the "NOT OKAY" field value from the stats.
There's a conflict to my "OKAY" and "NOT OKAY" values.

Can anyone guide me on how to show all the "NOT OKAY" to the summary field?

Tried replacing the case with ~ | eval z=if((y=1 OR swapUsedPct1=1 OR CommandCount1=1),"NOT OKAY","OKAY")

but I'm getting the same result.

Here's my Search:

index=os host=local* 
| multikv fields swapUsedPct 
| eval swapUsedPct1=if(swapUsedPct>=10,1,0)
| append [search index=os host=local* source=ps   
| multikv 
| search S=Z PID=* COMMAND=*  
| eventstats dc(PID) AS CommandCount by host
| eval CommandCount1=if(CommandCount>=10,1,0)]
| append [search index=os host=local* source=ps 
| multikv 
| rex field=ELAPSED "(?<daytrend>(\d+\-?))" 
| eval daytrend=replace (daytrend,"-","")  
| eval daytrend=tonumber(trim(daytrend)) 
| eval x=(182-daytrend) 
| eval y=if(x<=1,1,0)]
| eval summary = case(y=1 OR swapUsedPct1=1 OR CommandCount1=1, "NOT OKAY", (y=0 OR swapUsedPct1=0 OR CommandCount1=0), "OKAY", (y=2 OR swapUsedPct1=2 OR CommandCount1=2), "NULL") 
| stats latest(summary) AS Status BY host  
| sort + Status

Yep, I know my search can still be optimized 🙂

Thank you kindly!

I suspect there is nothing correlating the three searches to each other. Consider replacing the append commands with join host. This is less efficient, but may work better.

yep, your suspicion is spot on! Thank you!

Your code is doing exactly what it ought to, as far as I can tell. This code generates all 27 possible conditions for test purposes

| makeresults 
| eval y = "0 1 2" | makemv y | mvexpand y 
| eval swapUsedPct1 = "0 1 2" | makemv swapUsedPct1 | mvexpand swapUsedPct1
| eval CommandCount1= "0 1 2"  | makemv CommandCount1 | mvexpand CommandCount1  
| sort y swapUsedPct1 CommandCount1
| streamstats count as RecNo
| table RecNo y swapUsedPct1 CommandCount1

Your case statement processes the above output

 | eval summary = case(y=1 OR swapUsedPct1=1 OR CommandCount1=1, "NOT OKAY", (y=0 OR swapUsedPct1=0 OR CommandCount1=0), "OKAY", (y=2 OR swapUsedPct1=2 OR CommandCount1=2), "NULL")

resulting in

RecNo           y               swapUsedPct1    CommandCount1   summary        
1               0               0               0               OKAY           
2               0               0               1               NOT OKAY       
3               0               0               2               OKAY           
4               0               1               0               NOT OKAY       
5               0               1               1               NOT OKAY       
6               0               1               2               NOT OKAY       
7               0               2               0               OKAY           
8               0               2               1               NOT OKAY       
9               0               2               2               OKAY           
10              1               0               0               NOT OKAY       
11              1               0               1               NOT OKAY       
12              1               0               2               NOT OKAY       
13              1               1               0               NOT OKAY       
14              1               1               1               NOT OKAY       
15              1               1               2               NOT OKAY       
16              1               2               0               NOT OKAY       
17              1               2               1               NOT OKAY       
18              1               2               2               NOT OKAY       
19              2               0               0               OKAY           
20              2               0               1               NOT OKAY       
21              2               0               2               OKAY           
22              2               1               0               NOT OKAY       
23              2               1               1               NOT OKAY       
24              2               1               2               NOT OKAY       
25              2               2               0               OKAY           
26              2               2               1               NOT OKAY       
27              2               2               2               NULL           

Which results do you find to be in error?

hello DalJeanis and thank you for your answer. Yes, the search is fine..if I'll break down the searches into three (removing the | append).

My error is that swapUsedPct's result is only appearing for some reason and I think the append is the cause.

So you're saying swapUsedPct has a value and the other two fields are null?

Have you tried this case statement? case(y=1 OR swapUsedPct1=1 OR CommandCount1=1, "NOT OKAY", (y=0 AND swapUsedPct1=0 AND CommandCount1=0), "OKAY", 1=1, "NULL")

I mean, swapUsedPct1, CommandCount1, and y have values but my Status table only shows that swapUsedPct1 got the right values and CommandCount1 and y's values were not correct.
But if I will break down the searches into three, I am getting the right values for everything.

index=os host=local*
| multikv fields swapUsedPct
| eval swapUsedPct1=if(swapUsedPct>=10,"NOT OKAY","OKAY")
| stats latest(swapUsedPct1) AS swapUsedPct1 by host

index=os host=local* source=ps

| multikv
| search S=Z PID=* COMMAND=*

| eventstats dc(PID) AS CommandCount by host
| eval CommandCount1=if(CommandCount>=10,"NOT OKAY","OKAY")
| stats latest(CommandCount1) AS CommandCount1 by host

index=os host=local* source=ps
| multikv
| rex field=ELAPSED "(?(\d+-?))"
| eval daytrend=replace (daytrend,"-","")

| eval daytrend=tonumber(trim(daytrend))
| eval x=(182-daytrend)
| eval y=if(x<=1,"NOT OKAY","OKAY")
| stats latest(y) AS y by host

This searches are good on their own. But if I will use eval case and consolidate all of these three searches, the result is not the same. There's actually no NULL value on this one. Just made that up to fill up the case.

What do you mean by 'a conflict to my "OKAY" and "NOT OKAY" values' ?

I'm showing the Status by host, Status consists of swapUsedPct, CommandCount, and y.

If swapUsedPct is NOT OKAY, CommandCount is OKAY, and y is OKAY, the result of the Status should be NOT OKAY regardless of the OKAY values on other fields.

Have you verified the values of swapUsedPct1, CommandCount1, and y>?

yes and my current search is not producing the result that I'm expecting. Originally, these are 3 searches consolidated into 1 search.

