How to combine similar and different values of two...

din98 · ‎10-09-2022

gcusello · ‎10-09-2022

you have to normalize your field and I hint to do this in a calculated field and not in your search.

In few word, you have to create two eval commands like thie following:

| eval 
   state1=case(state1="Completed","Successful",state1="Faulted","Successful"),
   state2=case(state2="Completed","Successful",state2="Faulted","Successful")

you can try them in a search, but after the test I hint to put then in two calculated fields.

then in the search use the coalesce option in the eval command

| eval state=coalesce(state1,state2)

Ciao.

Giuseppe

din98 · ‎10-11-2022

,

gcusello · ‎10-12-2022

Hi @din98,

you can add all the conditions you have, I don't know if it's possible in your logs, but you could have:

| eval 
   state1=case(state1="Completed","Successful",state1="Faulted","Successful",state2="Pending","Pending"),
   state2=case(state2="Completed","Successful",state2="Faulted","Successful",state2="Pending","Pending")

Ciao.

Giuseppe

How to combine similar and different values of two fields together?

other

table

Observability | How to Think About Instrumentation Overhead (White Paper)

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

The Great Resilience Quest: 10th Leaderboard Update