Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Platform
- :
- Splunk Enterprise
- :
- Using condition setting the status
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Using condition setting the status
Hi,
I am trying to achive a logic for below scenario , but getting conflict ..
Table
| id | start_time | end_time | Ov_status | value | value_status |
| xyz.123 | 2020-07-22 | Inprogress | myvalue | Failed | |
| xyz.123 | 2020-07-22 | 2020-07-22 | completed | yourval | Completed |
| abc.321 | 2020-07-22 | Inprogress | isval | Inprogress |
Here i have used below case statement to get Ov_status
| eval Ov_status=case(isnotnull(start_time) AND isnull(end_time ),"Inprogress",isnotnull(start_time) AND isnotnull(end_time ),"completed")
Now i want if value_status is failed for any value of id(xyz.123) the Ov_status should reset to failed
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@vikashperiwal Based on your question seems like only if value_status in your data is already failed you want to use that value for deriving Overall Status. For other value_status, the Overall Status is determined based on whether you have End Date present in data or not. So try the following eval:
| eventstats values(value_status) as status_values by id
| eval Ov_status=case(status_values=="Failed","Failed",
isnotnull(start_time) AND isnull(end_time ),"Inprogress",
isnotnull(start_time) AND isnotnull(end_time ),"Completed",
true(),"Unknown")
Following is a run anywhere example based on the details provided:
| makeresults
| eval data="xyz.123 2020-07-22 Failed -;xyz.123 2020-07-22 Completed 2020-07-22;abc.321 2020-07-22 Inprogress -;"
| makemv data delim=";"
| mvexpand data
| makemv data delim=" "
| eval id=mvindex(data,0), start_time=mvindex(data,1), value_status=mvindex(data,2), end_time=mvindex(data,3)
| eval end_time=case(end_time!="-",end_time)
| table id start_time end_time value_status
| eventstats values(value_status) as status_values by id
| eval Ov_status=case(match(status_values,"Failed"),"Failed",
isnotnull(start_time) AND isnull(end_time ),"Inprogress",
isnotnull(start_time) AND isnotnull(end_time ),"Completed",
true(),"Unknown")
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
How about this:
| eval Ov_status=case(id="xyz.123" AND value_status="Failed","Failed", isnotnull(start_time) AND isnull(end_time ),"Inprogress",isnotnull(start_time) AND isnotnull(end_time ),"completed")- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the response..
Here the the ID is dynamic , i may have 100 of ID"s and each id is associated with some values and each value has a status called value status.
If my value status is failed i need to make my overall status f field for all the values present is that I'd...
I was thnking of some thing below
|eval Ov_status= if(value_status=="failed" OR value_status=="Inprogress" or value_status=="completed", "failed",Ov_status)..
But above condition is making all my Ov_status to failed irrespective of checking ID
I want to filter by ID
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain
Splunk Lantern’s Guide to The Most Popular .conf25 Sessions
