Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

FULL NULL Values based on certain values

davidcraven02
Communicator
‎01-02-2018 01:18 PM

The OverAllStatus only displays on the first row but I require the OverAllStatus to be displayed on each row for each machine (either Pass or Fail).

I need some sort of eval to correctly assign the OverAllStatus on each row for each machine.

I use this eval to determine if the OverAllStatus is a Pass or Fail in the first place 

 | eval OverAllStatus=case(jobStatusSummary="Success", "Pass", jobStatusSummary="NoBackUp", "NoBackUp", jobStatusSummary!="Success", "Fail")

alt text

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

micahkemp
Champion
‎01-02-2018 03:36 PM

Try:

| eval OverAllStatus=case(jobStatusSummary="Success", "Pass", jobStatusSummary="NoBackUp", "NoBackUp", jobStatusSummary!="Success", "Fail") | streamstats last(OverAllStatus) AS OverAllStatus BY machine

That assumes the first event per host already have an OverAllStatus value. If it is possible that value won't be present for the first event per machine you may try this:

| eval OverAllStatus=case(jobStatusSummary="Success", "Pass", jobStatusSummary="NoBackUp", "NoBackUp", jobStatusSummary!="Success", "Fail") | eventstats last(OverAllStatus) AS OverAllStatus BY machine

View solution in original post

Reply
Solved! Jump to solution

DalJeanis
Legend
‎01-02-2018 04:21 PM

Add a line after you set OverAllStatus...

| eventstats max(OverAllStatus) as OverAllStatus by machine
Reply
Solved! Jump to solution
Solution

micahkemp
Champion
‎01-02-2018 03:36 PM

Try:

| eval OverAllStatus=case(jobStatusSummary="Success", "Pass", jobStatusSummary="NoBackUp", "NoBackUp", jobStatusSummary!="Success", "Fail") | streamstats last(OverAllStatus) AS OverAllStatus BY machine

That assumes the first event per host already have an OverAllStatus value. If it is possible that value won't be present for the first event per machine you may try this:

| eval OverAllStatus=case(jobStatusSummary="Success", "Pass", jobStatusSummary="NoBackUp", "NoBackUp", jobStatusSummary!="Success", "Fail") | eventstats last(OverAllStatus) AS OverAllStatus BY machine

Reply
Solved! Jump to solution

davidcraven02
Communicator
‎01-02-2018 04:34 PM

Thank you very much for your help, this is great!

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...