- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- join SingleValue search
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
how do I join below two searches and return within same SingleValue with following conditions..
If "ConnectionStatus" is "On" and "Events" is "0" , display "No Errors" with low range
If "ConnectionStatus" is "On" and "Events" is greater than "0" , display "Warning" with elevated range
If "ConnectionStatus" is NOT "On" and "Events" is greater than "0" , display "Error" with severe range
ConnectionStatus
index=xxx sourcetype="ConnectionStatus" State!="On" |stats first(State) as State | stats count | appendpipe [ stats count | eval Status="Up" | where count==0 ] | eval Status=if(count==0,"Up","Down") | eval range = if(Status=="No Errors","low","severe")
Events
index=yyy sourcetype="Events" Type!=Information (EventCode>="3012" AND EventCode<="3054") | stats count | eval StateBool = if (count==0, 0, 1) | eval Status=if(count==0,"No Errors","Warning") | rangemap field=StateBool low=0-0 elevated=1-1 | table Status range
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I understand it correctly, this should work:
index=xxx sourcetype="ConnectionStatus" State!="On"| stats count AS connection_off_count | appendcols [ index=yyy sourcetype="Events" Type!=Information (EventCode>="3012" AND EventCode<="3054") | stats count AS event_error_count] | eval warning_type = case( (connection_off_count ==0) AND (event_error_count == 0), "No Errors", (connection_off_count ==0) AND (event_error_count > 0), "Warning", (connection_off_count > 0) AND (event_error_count > 0),"Error") | table warning_type
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I understand it correctly, this should work:
index=xxx sourcetype="ConnectionStatus" State!="On"| stats count AS connection_off_count | appendcols [ index=yyy sourcetype="Events" Type!=Information (EventCode>="3012" AND EventCode<="3054") | stats count AS event_error_count] | eval warning_type = case( (connection_off_count ==0) AND (event_error_count == 0), "No Errors", (connection_off_count ==0) AND (event_error_count > 0), "Warning", (connection_off_count > 0) AND (event_error_count > 0),"Error") | table warning_type
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you could pipe your rangemap logic before the table command. It should work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you. That works.
But how do I use range / rangemap with that search ?
No Errors is Green Tick , Warning is Orange & Error is Red cross
Changes to Splunk Instructor-Led Training Completion Criteria
Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!
Preparing your Splunk Environment for OpenSSL3
