Hi,
I am getting the below table using the query "index=main host="abcde" | rex field=_raw "(?ms)Node\s+Name\s:\s(?<Node_Name>\w+\S+)" | rex field=_raw "(?ms)Node\sState\s:\s(?<Node_State>[\w\s]+\w)\s+Number | eval Result=if('Node_State'=='Running', "Ok", "NotOk") | table Node_Name,Node_State,Result"
Node_Name Node_State Result
abc Stopped NotOk
cde Running NotOk
abc Running NotOk
xyz Stopped NotOk
the Running NotOk
abc Partially running NotOk
abc Stopped NotOk
xyz Running NotOk
the Running NotOk
abc Running NotOk
Is there anything wrong with my query in the eval command..? I want the "Result" field to be "Ok" if Running and "NotOk" for any other state. But here it seems not working as expected.
Please help modify the query to get the output in desired way.
Thank you.
| eval Result=if(Node_State=="Running", "Ok", "NotOk")
Hi to4kawa,
Thank you very much..!! It is now working as desired.