I want to compare the two columns that I get dynamically from my search result. I want to compare both fields.
Sourcetype result xxxx normal xxxx elevated xxxx critical.
I want to compare both values, whether any sourcetype is critical or the final result is critical, or else any sourcetype is elevated result is elevated. if everything is normal result is "normal".
can we compare like this.
.. | eval result=case(sourcetype=="critical" AND result=="critical","critical",sourcetype=="elevated" AND result=="elevated","elevated",sourcetype=="normal" AND result=="normal","normal")
Errrm, I might be missing something, but based on what you are saying, that is, if my sourcetype is critical result should be critical and so on, why don't you simply do the following:
| eval result = sourcetype
Or even better, use the value of sourcetype directly instead of defining a new field.
If on the other hand, you just want to compare against certain values of the sourcetype field before you assign the value of result, then you can use the following syntax:
| eval result = case( match(sourcetype, "keyword_for_critical_sourcetypes") , "critical", match(sourcetype, "keyword_for_elevated_sourcetypes"), "elevated", match(sourcetype, "keyword_for_normal_sourcetypes"), "normal", 1==1, "everything else" )
Note you can use an exact matching ( == ) instead of match if you know exactly what you are comparing against.
Hope that helps,
Just add this:
| eval MyAnswer=1 | chart count useother=f limit=0 over MyAnswer BY sourcetype | foreach * [eval <<FIELD>>="<<FIELD>>"] | eval MyAnswer=coalesce(critical. elaveated, normal, "ERROR!")
Hey @prashanthberam, did any of these Answers work for you? If so, please accept one.