Solved: Re: How can I combine 2 search strings onto 1 dash...

dhardingatn · ‎08-23-2017

I have 2 search strings that I am trying to combine to put on one dashboard.

sourcetype=snmp_ta host=* | eval fuel=case(ppscFuelLevel > 10000, 0, 1=1, ppscFuelLevel), FuelPct = fuel/100 | stats latest(FuelPct)

and

sourcetype=snmp_ta host=* | eval fuel=case(fuelLevel > 10000, 0, 1=1, fuelLevel), FuelPct = fuel/100 | stats latest(FuelPct)

These strings are from different generators both reporting fuel levels.

Can you help?

s2_splunk · ‎08-23-2017

Try using coalesce, like so:
sourcetype=snmp_ta host=* | eval myFuelLevel = coalesce(ppscFuelLevel, fuelLevel) | eval fuel=case(myFuelLevel > 10000, 0, 1=1, myFuelLevel), FuelPct = fuel/100 | stats latest(FuelPct)

View solution in original post

somesoni2 · ‎08-23-2017

In final output, do you want to two columns, showing FuelPct for different criteria?

s2_splunk · ‎08-23-2017

Try using coalesce, like so:
sourcetype=snmp_ta host=* | eval myFuelLevel = coalesce(ppscFuelLevel, fuelLevel) | eval fuel=case(myFuelLevel > 10000, 0, 1=1, myFuelLevel), FuelPct = fuel/100 | stats latest(FuelPct)

dhardingatn · ‎08-23-2017

Thank You, I have the Fuel Percentage reporting on a Fuel Gauge to monitor the Fuel. It is working now so that I can combine 2 dashboards into one.

s2_splunk · ‎08-23-2017

No problem, glad to help.
FWIW, you can also replace the case function with an if: fuel=if(myFuelLevel > 10000, 0, myFuelLevel) since you only have one condition.

How can I combine 2 search strings onto 1 dashboard?

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services