Solved: Create static fields after matching the field valu...

RSS_STT · ‎08-29-2024

I want to create one static field by looking status value = Issue

host	m_nname	status
A	cpu	Ok
B	disk	Ok
C	memory	Issue
D	netwok	Ok
E	storage	Issue

Issue found in status column few field heath created with Bad value.

Like below.

host	m_nname	status	Health
A	cpu	Ok	Bad
B	disk	Ok	Bad
C	memory	Issue	Bad
D	netwok	Ok	Bad
E	storage	Issue	Bad

ITWhisperer · ‎09-02-2024

| eventstats values(eval(if(status="Issue","Bad",null()))) as Health
| fillnull value="Ok" Health

View solution in original post

PickleRick · ‎08-29-2024

It's not clear how the health field is calculated. One way is what @ITWhisperer showed but it won't match your mockup results - you have health=bad all acros the board.

ITWhisperer · ‎08-29-2024

Are you saying that you want a health field that has "Bad" in for all the events if any of the events have status="Issue"?

RSS_STT · ‎08-29-2024

Yes, Your understanding is correct.

ITWhisperer · ‎08-29-2024

| eventstats values(eval(if(status="Issue","Bad",null()))) as Health

RSS_STT · ‎09-02-2024

It's missing the fields value if all Ok.

I need Health field to be populated with Ok if all status field have all Ok value.

ITWhisperer · ‎09-02-2024

| eventstats values(eval(if(status="Issue","Bad",null()))) as Health
| fillnull value="Ok" Health

richgalloway · ‎08-29-2024

Use the eval command to create a field.

| eval Health = if(status="Issue", "Bad", "Ok")

---
If this reply helps you, Karma would be appreciated.

Create static fields after matching the field value

other

stats

subsearch

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?