Splunk Search

From a list of column values can we print one final, single message?

prashanthberam
Explorer

Hi All,
I want to compare result column Names which is displaying 3 kind of messages.
Normal, Elevated, Critical.
Example :

   Column A          Column B
   1                 Normal
   2                 Normal
   3                 Critical

etc

   Result :
  Critical  (I need only one message)

I want check the messages in Column B. Since Critical is one of the results in Column B then the result should be Critical. If there are no Critical results and they are all Normal then the output should be Normal. Same, any single Elevated result is Elevated.
Can we do that ?
Thanks,

0 Karma
1 Solution

pradeepkumarg
Influencer

Append something like this to your search. Might not be an elegant solution, but should work.

|dedup status | table status | eval Rank = if(status="Critical",3,if(status="Elevated",2,1)) | sort -Rank | table status | head 1

I just assigned a rank based on your order and just retaining the one with highest rank.

View solution in original post

0 Karma

pradeepkumarg
Influencer

Append something like this to your search. Might not be an elegant solution, but should work.

|dedup status | table status | eval Rank = if(status="Critical",3,if(status="Elevated",2,1)) | sort -Rank | table status | head 1

I just assigned a rank based on your order and just retaining the one with highest rank.

0 Karma

niketn
Legend

@prashanthberam, please add more details of what is your current data (raw events) and query along with current results, as the description is not sufficient.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

prashanthberam
Explorer

here is my query.
i need to check whether am getting the data from hosts or not in span 24 hours ,for that i have written search. am printing status of the host and source type whether am getting or not, If am getting the data from the host it is normal else Elevated else Critical, these messages am printing one column that is status. By using the status column messages i want to print one result overall.
index sourcetype time volume status
xx xxxx xx xxxx Normal
xxx xxxxx xx xxxx Normal
xxx xxx xx xxx Critical

Thanks In advance.

0 Karma

niketn
Legend

Try the following OveallStatus should give you what you are looking for:

| stats values(status) as status
| eval OverallStatus=case(status=="Critical","Critical",status=="Elevated","Elevated",status=="Normal","Normal")

Ideally you should be able to tweak your existing query to directly get the Overall Status.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

pradeepkumarg
Influencer

If you have both rows with Elevated and Critical, then what do you want to display in your result?

0 Karma

prashanthberam
Explorer

case 1 : Critical, normal, Elevated .... result : Critical
Case 2 : Normal, Normal, Elevated.... result : Elevated
case 3 : Normal, Normal, Normal.... result : Normal
case 4 : Elevated, Elevated, Elevated... result: Elevated

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...