Solved: Create static fields after matching the field valu...

RSS_STT · ‎08-29-2024

I want to create one static field by looking status value = Issue

host	m_nname	status
A	cpu	Ok
B	disk	Ok
C	memory	Issue
D	netwok	Ok
E	storage	Issue

Issue found in status column few field heath created with Bad value.

Like below.

host	m_nname	status	Health
A	cpu	Ok	Bad
B	disk	Ok	Bad
C	memory	Issue	Bad
D	netwok	Ok	Bad
E	storage	Issue	Bad

ITWhisperer · ‎09-02-2024

| eventstats values(eval(if(status="Issue","Bad",null()))) as Health
| fillnull value="Ok" Health

View solution in original post

PickleRick · ‎08-29-2024

It's not clear how the health field is calculated. One way is what @ITWhisperer showed but it won't match your mockup results - you have health=bad all acros the board.

ITWhisperer · ‎08-29-2024

Are you saying that you want a health field that has "Bad" in for all the events if any of the events have status="Issue"?

RSS_STT · ‎08-29-2024

Yes, Your understanding is correct.

ITWhisperer · ‎08-29-2024

| eventstats values(eval(if(status="Issue","Bad",null()))) as Health

RSS_STT · ‎09-02-2024

It's missing the fields value if all Ok.

I need Health field to be populated with Ok if all status field have all Ok value.

ITWhisperer · ‎09-02-2024

| eventstats values(eval(if(status="Issue","Bad",null()))) as Health
| fillnull value="Ok" Health

richgalloway · ‎08-29-2024

Use the eval command to create a field.

| eval Health = if(status="Issue", "Bad", "Ok")

---
If this reply helps you, Karma would be appreciated.

Create static fields after matching the field value

Other

stats

subsearch

Preparing your Splunk Environment for OpenSSL3

Unleash Unified Security and Observability with Splunk Cloud Platform

Splunk AppDynamics with Cisco Secure Application