Re: How to pick the status what i wish to

pench2k19 · ‎02-27-2020

I have table with 3 field values as follows

SOR Datafeed Status
1art xxx Met SLA
1art yyy Missed SLA
1art zzz Met SLA

Now i would like to consider status of SOR as Missed SLA if it has one single status as Missed SLA , and alo there is come cases where i dont see Missed SLA status in that case it has be calculated as Met SLA.

Can you please help me guys

nickhills · ‎02-28-2020

Hi @pench2k19

cases where i dont see Missed SLA status in that case it has be calculated as Met SLA

You can do this with a eval Status=if(blah) but coalesce() is a good fit here

your search|eval Status=coalesce(Status,"Met SLA")

The first part of your question I'm not 100% sure what you mean...

Do you mean: "if any value of SOR, has a status of Missed SLA, then display it in the table"?
in which case something like this should work:

your search|eval Status=coalesce(Status,"Met SLA")|where Status="Missed SLA"

It might help if you can share some of your search, or rephrase the question.

If my comment helps, please give it a thumbs up!

pench2k19 · ‎03-02-2020

@nickhillscpl thanks for the comment.

I have few data feeds that share common SOR name. For example if any ONE data feed have status as Missed SLA , I want to calculate that whold SOR that data feeds belongs to as Missed SLA.

If all of the datafeeds have Met SLA , i want to calculate that SOR as Met SLA.

nickhills · ‎03-02-2020

Ok, so there are a few ways I can think of, but building on my previous answer..

If you sorted 'Status' in z-a order, you could then dedup each SOR. This would give you one row for each SOR, and would show the "Missed SLA" value if one existed. If no SLA's were missed, you would get a table of "Met SLA"

<your search>
|eval Status=coalesce(Status,"Met SLA")
|sort - Status
|dedup SOR
|table SOR Status

If my comment helps, please give it a thumbs up!

pench2k19 · ‎03-02-2020

@nickhills i can not apply dedup SOR as it nullifying all other results for other dates as well, following is there what i have developed so far, but its not working as expected.

nickhills · ‎03-02-2020

Try this:

|inputlookup MBDA_SLA_stats.csv
| dedup SOR feed timestamp
| eval status=if(timestamp_epoch>Expected_time_epoch,"Missed SLA","Met SLA")
|eval status=coalesce(status,"Met SLA")
|sort - status
|dedup SOR
| chart last(status) by Business_Date SOR useother=f limit=50 | fillnull value="Not Run"
|sort - Business_Date
|rename Business_Date as "Business Date"

I'd be tempted to remove the double dedup, but since this is coming from a lookup the performance impact is likely negligible.

If my comment helps, please give it a thumbs up!

pench2k19 · ‎03-03-2020

its not working as expected.

nickhills · ‎03-03-2020

in what way?

If my comment helps, please give it a thumbs up!

kamlesh_vaghela · ‎02-28-2020

@pench2k19

Can you please share your sample search, data and expected output from that data?

pench2k19 · ‎03-02-2020

@kamlesh_vaghela here is the query i am using, But this is not working as expected

How to pick the status what i wish to

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes