Splunk Search

Displaying either value or fixed string based on if statement

ejeny
Explorer

Hello everyone,

So what I'm trying to do with this is print out a value into a Single Value Panel (42). Depending on whether or not there are any results (hence the count) I want to either print out "Failure" or the actual value, however, instead of printing out the actual value it prints out a 0. I just started using Splunk so bear in mind I'm a complete and utter newbie at this for now.

Code:

index=some_number source="some_source" "<tag>"
| rename value as name
| fields name
| stats count(name) AS Count
| eval value=if(Count==0, "Failure", name)
| fields value
| eval range=if(value=="Failure", "severe", "low")

Thank you in advance!

Tags (2)
0 Karma
1 Solution

ejeny
Explorer

I did manage to come across a more elegant solution:

index=some_number source="some_source" "<tag>"
| appendpipe [ stats count 
| eval value=case(count==0, "Critical Error") ]
| fields value
| eval range=case(value=="Critical Error", "severe", value!="Critical Error", "low")

Thank you both for your help though!

EDIT: A better answer, due to DalJeanis:

index=some_number source="some_source" "<tag>"
| head 1
| stats count first(value) as value
| eval value=coalesce(value,"Failure")
| fields value
| eval range=if(value=="Failure", "severe", "low")

View solution in original post

0 Karma

ejeny
Explorer

I did manage to come across a more elegant solution:

index=some_number source="some_source" "<tag>"
| appendpipe [ stats count 
| eval value=case(count==0, "Critical Error") ]
| fields value
| eval range=case(value=="Critical Error", "severe", value!="Critical Error", "low")

Thank you both for your help though!

EDIT: A better answer, due to DalJeanis:

index=some_number source="some_source" "<tag>"
| head 1
| stats count first(value) as value
| eval value=coalesce(value,"Failure")
| fields value
| eval range=if(value=="Failure", "severe", "low")
0 Karma

DalJeanis
SplunkTrust
SplunkTrust

That code does not provide a single value... and, I finally see what you were trying to do. You don't need the appendpipe.

If any records are retrieved, you want to grab the field "value" from the most recent record. If no records are retrieved, then you want the field to read "Failure".

Try this...

 index=some_number source="some_source" "<tag>" value=*
| head 1
| stats count first(value) as value
| eval value=coalesce(value,"Failure")
| fields value
| eval range=if(value=="Failure", "severe", "low")

Updated to kill count field, which has to be there in case there are no records returned.

ejeny
Explorer

Thank you Dal. I tried that and it is significantly faster, but I either get a red 0 or a green 1 and not the actual values. The stats count command seems to overwrite pretty much anything unless I put it into a separate pipe.

EDIT: Fixed it by adding '| fields value' between the two evals. Thanks a lot, Dal!

DalJeanis
SplunkTrust
SplunkTrust

You just confused yourself. name does not exist after yourstats command. Also, avoid renaming things when they are going away anyway.

Try this...

 index=some_number source="some_source" "<tag>"
 | stats count(value) AS Count
 | eval Count=if(Count==0, "Failure", Count)
 | eval range=if(Count=="Failure", "severe", "low")
0 Karma

ejeny
Explorer

So is there no way to use the stats command and preserve the original data and use it? That's the issue I'm having so if for example the search gave me "cheese" as an answer I'd want that displayed in green (low), but if it finds no results display "Failure" in red.

0 Karma

niketn
Legend

[UPDATED ANSWER]
Based on the details provided for the use case I have updated answer with a run anywhere search please see if this is what is required.

If the value is success, obviously your count will be greater than 0. Hence there will be more than one value available. If you have more than one value for a field, Single Value Panel is not the correct visualization. However, comma separated values can be displayed in Single Value Panel.

You can run your main query with stats computing count(value) as Count and values(value) as Value in your base search and then pass on the Count and Value as token to your Single Value visualization. Following is a run anywhere search using Splunk's _internal index. You can switch log_level between "INFO" and "BLAH" to test >0 and 0 conditions.

  <search>
    <!--Switch log_level between INFO and BLAH to check greater than zero and zero conditions -->
    <query>index=_internal sourcetype=splunkd log_level="INFO"
| stats count(component) as count values(component) as value</query>
    <earliest>-1h@h</earliest>
    <latest>now</latest>
    <sampleRatio>1</sampleRatio>
    <done>
      <condition match="$job.resultCount$==0">
        <set token="tokCount">0</set>
        <set token="tokValue">Failure</set>
      </condition>
      <condition>
        <set token="tokCount">$result.count$</set>
        <eval token="tokValue">case(isnull($result.value$),"Failure",true(),$result.value$)</eval>
      </condition>
    </done>
  </search>
  <row>
    <panel>
      <single>
        <search>
          <query>| makeresults
| eval count=$tokCount$
| rangemap field=count severe=0-0 default=low
| eval count="$tokValue$"
          </query>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">block</option>
        <option name="drilldown">none</option>
        <option name="numberPrecision">0</option>
        <option name="rangeColors">["0xd93f3c","0x65a637"]</option>
        <option name="rangeValues">[0]</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="unitPosition">after</option>
        <option name="useColors">0</option>
        <option name="useThousandSeparators">1</option>
      </single>
    </panel>
  </row>

@ejeny, In order to display 0 as Failure and positive count >0 as Success, following query can be used. It uses rangemap to create a field called range with mapped values like >0 is low (Green) and =0 is severe (red)

index=some_number source="some_source" "<tag>" value="*"
| stats count(value) as Count
| rangemap field=Count severe=0-0 default=low
| eval Count=if(Count=0,"Failure","Success")

PS: Rangemap has limited support for applying color in Single Value. So colors might not apply if you explicitly select Color option from Single value Panel Settings. Refer to documentation: http://docs.splunk.com/Documentation/Splunk/latest/Viz/SingleValueFormatting#Migration_for_rangemap_....

In your existing code | rename value as name and |fields name seem unnecessary.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

ejeny
Explorer

Ah, but if instead of Success I wanted to display value (as in the data) how would one go about that? Thank you for your help so far!

0 Karma

ejeny
Explorer

I see, I see. Well, i suppose in that case I'm just going to have 2 separate panels then, one saying it's a pass or a fail and one that displays the actual data. I don't suppose mentioning that at any one time I know there will always exactly be one result (hence using Single Value) would change anything?

0 Karma

niketn
Legend

You can use concept like above and pass on results to two panels. No results/no count then display single value and more than one result then display table. You can do this by adding depends with token name to your panels which should be hidden when token is not set. You would also have to set one of the toke and under the other token based on whether count is 0 or not.

Let me know if you need example.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...