Re: Can you help me figure out if I should use a c...

jayachandrank · ‎03-29-2019

Hi all

I am new to Splunk please help me on this.

I am trying to check a condition that if Coin Acceptor, Receipt Printer and etc are Unavailable...then I want to display only that which is Unavailable...that means, if only Coin Acceptor is Unavailable, then I want to display only Coin Acceptor in the table..

| eval Component = if(( "Coin Acceptor"==Unavailable OR "Receipt Printer"==Unavailable OR "Cash Dispenser"==Unavailable OR "Cash Draw"==Unavailable OR "Signature Pad"==Unavailable OR "Cash Dispenser"==Unavailable OR "Loyalty Scanner"==Unavailable OR "Operator/Customer Display"==Unavailable OR "PinPad"==Unavailable),"NA", Component) | table  Component

renjith_nair · ‎03-29-2019

@jayachandrank,,

Try this

"your current search" |eval CULPRITS=null()
|foreach * [eval CULPRITS=if(<<FIELD>>=="Unavailable",if(isnull(CULPRITS),"<<FIELD>>",CULPRITS.", <<FIELD>>"),CULPRITS)]

The CULPRITS field should have a comma separated list of components which caused the Lane became UnAvailable.

Happy Splunking!

jayachandrank · ‎03-31-2019

@renjith.nair

I have changed my query like this

Base search *|eval "Coin Acceptor","Loyalty Scanner"=null() |foreach *[ eval "Coin Acceptor","Loyalty Scanner"=if(<>=="Unavailable"),if((isnull("Coin Acceptor","Loyalty Scanner"),"<>"),("Coin Acceptor","Loyalty Scanner"),"<>"),"Coin Acceptor","Loyalty Scanner"] | table Store,Lane,Lane_Status,"Coin Acceptor","Loyalty Scanner","Receipt Printer"

but i am receiving a error like "Error in 'eval' command: The arguments to the 'if' function are invalid."

So i the FIELD i give any particular thing or any random name...and in you have given as <> and
"<>" is that correct or i have give double quotes in everywhere.

renjith_nair · ‎03-31-2019

@jayachandrank,

You dont need to replace anything there. foreach statement has to be copied exactly as it is. So from the above search, you just replace "your current search" with your initial search

Happy Splunking!

jayachandrank · ‎03-31-2019

@renjith.nair

So i have copied that exactly as your search and replaced like this

base search |eval "Coin Acceptor","Loyalty Scanner"=null()
|foreach *[ eval "Coin Acceptor","Loyalty Scanner"=if(<>=="Unavailable"),if((isnull("Coin Acceptor","Loyalty Scanner"),"<>"),("Coin Acceptor","Loyalty Scanner"),"<>"),"Coin Acceptor","Loyalty Scanner"]
| table Store,Lane,Lane_Status,"Coin Acceptor","Loyalty Scanner"

But i am receiving this error
"Error in 'eval' command: The arguments to the 'isnull' function are invalid. "
Can you help me on this

renjith_nair · ‎04-03-2019

@jayachandrank,
what I meant is you dont need to change even the <<FIELD>> , thats the syntax of foreach

https://docs.splunk.com/Documentation/Splunk/7.2.5/SearchReference/Foreach

Happy Splunking!

renjith_nair · ‎03-29-2019

@jayachandrank,

If you have a Status field , then | where Status="Unavailable " should be enough.
Would you mind sharing the current search and /or intermediate result so that we can have a look?

Happy Splunking!

jayachandrank · ‎03-29-2019

Actually there are many field in the data model in that I have many component if any one of the component becomes unavailable it status will be unavailable..I what to check all my component if any one or more becomes unavailable I want to display all those component which makes it unavailable

I am receving like this
Lane_Status Coin Acceptor Loyalty Scanner Receipt Printer
Unavailable Unavailable Available Available
Unavailable Available Unavailable Available

But I need like this

Lane Lane_Status Coin Acceptor Loyalty Scanner Receipt Printer
12 Unavailable Unavailable

13 Unavailable Unavailable

Can you help me figure out if I should use a condition statement OR an If statement?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk