All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to use "CASE" statements to get the results based on multiple conditions and multiple fields?

rajhemant26
New Member
‎03-11-2019 06:46 AM

Hello everyone.

Want to display the output only for the time which crosses 18 months (earliest time)

Tags (1)
0 Karma
Reply

nickhills
Ultra Champion
‎03-11-2019 06:57 AM

Typed on a phone, so there may be errors, but would something like this work for you?

 ...|search QUEUE=message*
    |eval level=case((QUEUE=MESSAGE1 AND QueueDepth>=400 AND MessageAge>=400), "high", (QUEUE=MESSAGE2 AND QueueDepth>=200 AND MessageAge>=300), "high", (QUEUE=MESSAGE3 AND QueueDepth>=100 AND MessageAge>=300), "high",1=1,"other")
    |where level="high"
    |stats count by QUEUE
If my comment helps, please give it a thumbs up!
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...