Hi All,

I have created the below table using the query (index=abcde sourcetype=wxyz | rex field=_raw "(?ms)\s(?<Disk_Usage>\d+)%" | rex field=_raw "(?ms)\%\s(?<File_System>\/\w+)" | table host,File_System,Disk_Usage):

Server     File_System        Disk_usage
abc           /apps                      23
cde           /logs                       18
fgh            /var                          60
xyz            /opt                         62
abc           /opt                         60
cde           /var                          55
fgh            /opt                         58
xyz           /logs                        10

Here I want to create a query to make the Disk_Usage below 60 as "Ok" and above 60 as "NotOk". I tried using the query | eval if(Disk_Usage <= "60", "Ok", "NotOk") but unable to get the desired result.

Please help create the query to get the desired output.

Thank you.