Splunk Search

How can you get a single value based on eval results?

Communicator

Hello,

I have a search that joins together data. The search works great, but the results that Im trying to get are proving a bit tricky.

index=tsv 
|rename BOID AS id
|dedup SurveyInstanceID QuestionID QuestionText QuestionAnswer QuestionAnswerWeight

|join id [`init(assessments)` 
|rename info_name as assessmentName
|dedup assessmentName
|`fp_mvexpand(related_vendors)`
|eval RV = mvindex(related_vendors,0) ]

|join RV [ `init(vendors)`
|rename id as RV info_name as Vendor
|dedup Vendor]

| search Vendor=$vendor$

|streamstats count(QuestionID) by SectionTitle
|rename count(QuestionID) as total

| eval "Section Status"=case(SectionTitle == "1.1" AND total == "3", "Completed",  
SectionTitle == "1.2 " AND total == "4", "Completed", 
SectionTitle == "1.3" AND total == "3", "Completed", 
true(), "Incomplete")
|rename total as "Questions Answered" SectionTitle as "Section Title"

The goal is that if "Section Status" == "Incomplete" AT ALL, return "Incomplete" otherwise its "Complete" .

This causes every record to be evaluated which is not what Im trying to get. I only need it to return a single result.

So if lets say

SectionTitle == "1.1" AND total == "3"  
    SectionTitle == "1.2 " AND total == "2"
    SectionTitle == "1.3" AND total == "3"

The result would be "Incomplete"

I plan on making this a single value panel on a dashboard

Thanks for the assistance

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Try this.

... | eval "Section Status"=case(SectionTitle == "1.1" AND total == "3", "Completed",  
 SectionTitle == "1.2 " AND total == "4", "Completed", 
 SectionTitle == "1.3" AND total == "3", "Completed", 
 true(), "Incomplete")
| stats count(eval('Section Status'="Incomplete)) as IncompleteCount values(total) as total values(SectionTitle) as SectionTitle
| eval Status=if(IncompleteCount=0, "Completed", "Incomplete")
|rename total as "Questions Answered" SectionTitle as "Section Title"
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

SplunkTrust
SplunkTrust

Try this.

... | eval "Section Status"=case(SectionTitle == "1.1" AND total == "3", "Completed",  
 SectionTitle == "1.2 " AND total == "4", "Completed", 
 SectionTitle == "1.3" AND total == "3", "Completed", 
 true(), "Incomplete")
| stats count(eval('Section Status'="Incomplete)) as IncompleteCount values(total) as total values(SectionTitle) as SectionTitle
| eval Status=if(IncompleteCount=0, "Completed", "Incomplete")
|rename total as "Questions Answered" SectionTitle as "Section Title"
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

Communicator

yep that worked, I just added "|fields Status" and then made it into a single value panel.
Thanks for the help!

0 Karma