- Find Answers
- :
- Splunk Platform
- :
- Splunk Enterprise
- :
- Re: Using condition setting the status
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Using condition setting the status
Hi,
I am trying to achive a logic for below scenario , but getting conflict ..
Table
| id | start_time | end_time | Ov_status | value | value_status |
| xyz.123 | 2020-07-22 | Inprogress | myvalue | Failed | |
| xyz.123 | 2020-07-22 | 2020-07-22 | completed | yourval | Completed |
| abc.321 | 2020-07-22 | Inprogress | isval | Inprogress |
Here i have used below case statement to get Ov_status
| eval Ov_status=case(isnotnull(start_time) AND isnull(end_time ),"Inprogress",isnotnull(start_time) AND isnotnull(end_time ),"completed")
Now i want if value_status is failed for any value of id(xyz.123) the Ov_status should reset to failed
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@vikashperiwal Based on your question seems like only if value_status in your data is already failed you want to use that value for deriving Overall Status. For other value_status, the Overall Status is determined based on whether you have End Date present in data or not. So try the following eval:
| eventstats values(value_status) as status_values by id
| eval Ov_status=case(status_values=="Failed","Failed",
isnotnull(start_time) AND isnull(end_time ),"Inprogress",
isnotnull(start_time) AND isnotnull(end_time ),"Completed",
true(),"Unknown")
Following is a run anywhere example based on the details provided:
| makeresults
| eval data="xyz.123 2020-07-22 Failed -;xyz.123 2020-07-22 Completed 2020-07-22;abc.321 2020-07-22 Inprogress -;"
| makemv data delim=";"
| mvexpand data
| makemv data delim=" "
| eval id=mvindex(data,0), start_time=mvindex(data,1), value_status=mvindex(data,2), end_time=mvindex(data,3)
| eval end_time=case(end_time!="-",end_time)
| table id start_time end_time value_status
| eventstats values(value_status) as status_values by id
| eval Ov_status=case(match(status_values,"Failed"),"Failed",
isnotnull(start_time) AND isnull(end_time ),"Inprogress",
isnotnull(start_time) AND isnotnull(end_time ),"Completed",
true(),"Unknown")
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
How about this:
| eval Ov_status=case(id="xyz.123" AND value_status="Failed","Failed", isnotnull(start_time) AND isnull(end_time ),"Inprogress",isnotnull(start_time) AND isnotnull(end_time ),"completed")- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the response..
Here the the ID is dynamic , i may have 100 of ID"s and each id is associated with some values and each value has a status called value status.
If my value status is failed i need to make my overall status f field for all the values present is that I'd...
I was thnking of some thing below
|eval Ov_status= if(value_status=="failed" OR value_status=="Inprogress" or value_status=="completed", "failed",Ov_status)..
But above condition is making all my Ov_status to failed irrespective of checking ID
I want to filter by ID
Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...
Monitoring Amazon Elastic Kubernetes Service (EKS)
Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation
