- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Can you help me figure out if I should use a condi...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you help me figure out if I should use a condition statement OR an If statement?
Hi all
I am new to Splunk please help me on this.
I am trying to check a condition that if Coin Acceptor, Receipt Printer and etc are Unavailable...then I want to display only that which is Unavailable...that means, if only Coin Acceptor is Unavailable, then I want to display only Coin Acceptor in the table..
| eval Component = if(( "Coin Acceptor"==Unavailable OR "Receipt Printer"==Unavailable OR "Cash Dispenser"==Unavailable OR "Cash Draw"==Unavailable OR "Signature Pad"==Unavailable OR "Cash Dispenser"==Unavailable OR "Loyalty Scanner"==Unavailable OR "Operator/Customer Display"==Unavailable OR "PinPad"==Unavailable),"NA", Component) | table Component
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@jayachandrank,,
Try this
"your current search" |eval CULPRITS=null()
|foreach * [eval CULPRITS=if(<<FIELD>>=="Unavailable",if(isnull(CULPRITS),"<<FIELD>>",CULPRITS.", <<FIELD>>"),CULPRITS)]
The CULPRITS field should have a comma separated list of components which caused the Lane became UnAvailable.
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@renjith.nair
I have changed my query like this
- Base search *|eval "Coin Acceptor","Loyalty Scanner"=null() |foreach *[ eval "Coin Acceptor","Loyalty Scanner"=if(<>=="Unavailable"),if((isnull("Coin Acceptor","Loyalty Scanner"),"<>"),("Coin Acceptor","Loyalty Scanner"),"<>"),"Coin Acceptor","Loyalty Scanner"] | table Store,Lane,Lane_Status,"Coin Acceptor","Loyalty Scanner","Receipt Printer"
but i am receiving a error like "Error in 'eval' command: The arguments to the 'if' function are invalid."
So i the FIELD i give any particular thing or any random name...and in you have given as <> and
"<>" is that correct or i have give double quotes in everywhere.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@jayachandrank,
You dont need to replace anything there. foreach statement has to be copied exactly as it is. So from the above search, you just replace "your current search" with your initial search
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@renjith.nair
So i have copied that exactly as your search and replaced like this
base search |eval "Coin Acceptor","Loyalty Scanner"=null()
|foreach *[ eval "Coin Acceptor","Loyalty Scanner"=if(<>=="Unavailable"),if((isnull("Coin Acceptor","Loyalty Scanner"),"<>"),("Coin Acceptor","Loyalty Scanner"),"<>"),"Coin Acceptor","Loyalty Scanner"]
| table Store,Lane,Lane_Status,"Coin Acceptor","Loyalty Scanner"
But i am receiving this error
"Error in 'eval' command: The arguments to the 'isnull' function are invalid. "
Can you help me on this
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@jayachandrank,
what I meant is you dont need to change even the <<FIELD>> , thats the syntax of foreach
https://docs.splunk.com/Documentation/Splunk/7.2.5/SearchReference/Foreach
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@jayachandrank,
If you have a Status field , then | where Status="Unavailable " should be enough.
Would you mind sharing the current search and /or intermediate result so that we can have a look?
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Actually there are many field in the data model in that I have many component if any one of the component becomes unavailable it status will be unavailable..I what to check all my component if any one or more becomes unavailable I want to display all those component which makes it unavailable
I am receving like this
Lane_Status Coin Acceptor Loyalty Scanner Receipt Printer
Unavailable Unavailable Available Available
Unavailable Available Unavailable Available
But I need like this
Lane Lane_Status Coin Acceptor Loyalty Scanner Receipt Printer
12 Unavailable Unavailable
13 Unavailable Unavailable
Splunk Classroom Chronicles: Training Tales and Testimonials
Access Tokens Page - New & Improved
Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!
