Archive
Highlighted

How to pick the status what i wish to

Engager

I have table with 3 field values as follows

SOR Datafeed Status
1art xxx Met SLA
1art yyy Missed SLA
1art zzz Met SLA

Now i would like to consider status of SOR as Missed SLA if it has one single status as Missed SLA , and alo there is come cases where i dont see Missed SLA status in that case it has be calculated as Met SLA.

Can you please help me guys

Tags (1)
0 Karma
Highlighted

Re: How to pick the status what i wish to

SplunkTrust
SplunkTrust

@pench2k19

Can you please share your sample search, data and expected output from that data?

0 Karma
Highlighted

Re: How to pick the status what i wish to

Engager

@kamlesh_vaghela here is the query i am using, But this is not working as expected

|inputlookup MBDASLAstats.csv
| dedup SOR feed timestamp
| eval status=if(timestampepoch>Expectedtimeepoch,"Missed SLA","Met SLA")
| chart last(status) by Business
Date SOR useother=f limit=50 | fillnull value="Not Run"
|sort - BusinessDate
|rename Business
Date as "Business Date"

0 Karma
Highlighted

Re: How to pick the status what i wish to

Ultra Champion

Hi @pench2k19

cases where i dont see Missed SLA status in that case it has be calculated as Met SLA

You can do this with a eval Status=if(blah) but coalesce() is a good fit here

your search|eval Status=coalesce(Status,"Met SLA")

The first part of your question I'm not 100% sure what you mean...

Do you mean: "if any value of SOR, has a status of Missed SLA, then display it in the table"?
in which case something like this should work:

your search|eval Status=coalesce(Status,"Met SLA")|where Status="Missed SLA"

It might help if you can share some of your search, or rephrase the question.

0 Karma
Highlighted

Re: How to pick the status what i wish to

Engager

@nickhillscpl thanks for the comment.

I have few data feeds that share common SOR name. For example if any ONE data feed have status as Missed SLA , I want to calculate that whold SOR that data feeds belongs to as Missed SLA.

If all of the datafeeds have Met SLA , i want to calculate that SOR as Met SLA.

0 Karma
Highlighted

Re: How to pick the status what i wish to

Ultra Champion

Ok, so there are a few ways I can think of, but building on my previous answer..

If you sorted 'Status' in z-a order, you could then dedup each SOR. This would give you one row for each SOR, and would show the "Missed SLA" value if one existed. If no SLA's were missed, you would get a table of "Met SLA"

<your search>
|eval Status=coalesce(Status,"Met SLA")
|sort - Status
|dedup SOR
|table SOR Status
0 Karma
Highlighted

Re: How to pick the status what i wish to

Engager

@nickhillscpl i can not apply dedup SOR as it nullifying all other results for other dates as well, following is there what i have developed so far, but its not working as expected.

|inputlookup MBDASLAstats.csv
| dedup SOR feed timestamp
| eval status=if(timestampepoch>Expectedtimeepoch,"Missed SLA","Met SLA")
| chart last(status) by Business
Date SOR useother=f limit=50 | fillnull value="Not Run"
|sort - BusinessDate
|rename Business
Date as "Business Date"

0 Karma
Highlighted

Re: How to pick the status what i wish to

Ultra Champion

Try this:

|inputlookup MBDA_SLA_stats.csv
| dedup SOR feed timestamp
| eval status=if(timestamp_epoch>Expected_time_epoch,"Missed SLA","Met SLA")
|eval status=coalesce(status,"Met SLA")
|sort - status
|dedup SOR
| chart last(status) by Business_Date SOR useother=f limit=50 | fillnull value="Not Run"
|sort - Business_Date
|rename Business_Date as "Business Date"

I'd be tempted to remove the double dedup, but since this is coming from a lookup the performance impact is likely negligible.

0 Karma
Highlighted

Re: How to pick the status what i wish to

Engager

its not working as expected.

0 Karma
Highlighted

Re: How to pick the status what i wish to

Ultra Champion

in what way?

0 Karma