Splunk Search
Highlighted

How do I get these three conditions to work in my search for a field output?

New Member

I have search output wherein in field DB_NotBackedup has 3 values:
1- null value
2- value greater than 3
3- value less than 3

I need out of BackupStatus output missed if 'DBNotBackedup' has null, Failed if 'DBNotBackedup' has >3, and success if 'DBNotBackedup' and < 3

Can anyone help me here?

index=* sourcetype=conf host=*
| join type=outer max=0 host [search index=tsm sourcetype="tsm-client-log" host=* "Total Domino databases inspected"
| rex field=_raw "^(?:[^:\n]*:){3}\s+(?P.+)"]
| convert num(Total_Databases)
| table _time host Total_Databases
| join type=outer max=0 host [search index=tsm sourcetype="tsm-client-log" host=* "Total Domino databases backed up"
| rex field=_raw "^(?:[^:\n]*:){3}\s+(?P.+)"]
| convert num(DB_Backedup)
| dedup host
| table _time host Total_Databases DB_Backedup
| eval DB_NotBackedup = (Total_Databases - DB_Backedup)
| eval BackupDate=strftime(_time, "%Y/%m/%d")
| table BackupDate host Total_Databases DB_Backedup DB_NotBackedup
| eval Backup_Status=case(DB_NotBackedup=null, missed, DB_NotBackedup>3, failed, 1=1, Success)
| table Backup_Status host Total_Databases DB_Backedup DB_NotBackedup
0 Karma
Highlighted

Re: How do I get these three conditions to work in my search for a field output?

SplunkTrust
SplunkTrust

What seems to be the problem?

The case statement needs quotation marks:

| eval Backup_Status=case(DB_NotBackedup=null, "missed", DB_NotBackedup>3, "failed", 1=1, "Success")
---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: How do I get these three conditions to work in my search for a field output?

SplunkTrust
SplunkTrust

Replace your 2nd last line with this

| eval Backup_Status=case(isnull(DB_NotBackedup)l, missed, DB_NotBackedup>3, "Failed", 1=1, "Success")
0 Karma