Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Using condition setting the status

vikashperiwal
Path Finder
‎07-22-2020 09:23 AM

Hi,

I am trying to achive a logic for below scenario , but getting conflict ..

Table

id start_time end_time  Ov_status value value_status
xyz.123 2020-07-22   Inprogress myvalue Failed
xyz.123 2020-07-22 2020-07-22 completed yourval Completed
abc.321 2020-07-22   Inprogress isval Inprogress

 

Here i have used below case statement to get Ov_status

| eval Ov_status=case(isnotnull(start_time) AND isnull(end_time ),"Inprogress",isnotnull(start_time) AND isnotnull(end_time ),"completed")


Now i want if value_status is failed for any value of id(xyz.123) the Ov_status should reset to failed

Labels (2)
Labels
0 Karma
Reply

niketn
Legend
‎07-23-2020 02:39 AM

@vikashperiwal Based on your question seems like only if value_status in your data is already failed you want to use that value for deriving Overall Status. For other value_status, the Overall Status is determined based on whether you have End Date present in data or not. So try the following eval:

 

| eventstats values(value_status) as status_values by id
| eval Ov_status=case(status_values=="Failed","Failed",
    isnotnull(start_time) AND isnull(end_time ),"Inprogress",
    isnotnull(start_time) AND isnotnull(end_time ),"Completed",
    true(),"Unknown")

 

 Following is a run anywhere example based on the details provided:

 

| makeresults 
| eval data="xyz.123 2020-07-22 Failed -;xyz.123 2020-07-22 Completed 2020-07-22;abc.321 2020-07-22 Inprogress -;" 
| makemv data delim=";" 
| mvexpand data 
| makemv data delim=" " 
| eval id=mvindex(data,0), start_time=mvindex(data,1), value_status=mvindex(data,2), end_time=mvindex(data,3) 
| eval end_time=case(end_time!="-",end_time) 
| table id start_time end_time value_status 
| eventstats values(value_status) as status_values by id
| eval Ov_status=case(match(status_values,"Failed"),"Failed",
    isnotnull(start_time) AND isnull(end_time ),"Inprogress",
    isnotnull(start_time) AND isnotnull(end_time ),"Completed",
    true(),"Unknown")

 

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎07-22-2020 12:31 PM

Hi

How about this:

| eval Ov_status=case(id="xyz.123" AND value_status="Failed","Failed", isnotnull(start_time) AND isnull(end_time ),"Inprogress",isnotnull(start_time) AND isnotnull(end_time ),"completed")
0 Karma
Reply

vikashperiwal
Path Finder
‎07-22-2020 07:05 PM

Thanks for the response..

Here the the ID is dynamic , i may have 100 of ID"s and each id is associated with some values and each value has a status called value status.

If my value status is failed i need to make my overall status f field for all the values present is that I'd...

I was thnking of some thing below

|eval Ov_status= if(value_status=="failed" OR value_status=="Inprogress" or value_status=="completed", "failed",Ov_status)..

But above condition  is making all my Ov_status to failed irrespective of checking ID

I want to filter by ID

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...