Splunk Search
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to apply the condition in multivalue event?

VsplunkV
Explorer
‎02-21-2018 01:01 PM

Splunk Experts,

How to write the eval command to compare the Multivalue, Below is data,

    **Servicename**    **Status**                                          ServerName
                                                                              NGS121
     Ad_service          Running
     CIM_service         Running
      Jabber             NotRunning
      Citrix             NotRunning.

IF any of the Status is "NotRunning" I should get the ServiceStatus as "Not-Running" O/P as 

Servername                 ServiceStatus

NGS121                     Not-Running
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-21-2018 02:44 PM

Try like this

your current search giving multivalued field Status and other fields
| eval Status=if(isnotnull(mvfilter(Status,"NotRunning")),"NonRunning","Running")

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-21-2018 02:44 PM

Try like this

your current search giving multivalued field Status and other fields
| eval Status=if(isnotnull(mvfilter(Status,"NotRunning")),"NonRunning","Running")
Reply
Solved! Jump to solution

VsplunkV
Explorer
‎02-21-2018 02:53 PM

Thank you. It worked

0 Karma
Reply
Solved! Jump to solution

elliotproebstel
Champion
‎02-21-2018 02:12 PM

This will create a field called ServiceStatus and assign it the value Not-Running if any value for Status is set to NotRunning, and then it will retain only the events where ServiceStatus="Not-Running":

[ your existing search ]
| eval ServiceStatus=if(like(Status, "NotRunning"), "Not-Running", "Running")
| where ServiceStatus="Not-Running"
| fields ServerName ServiceStatus
Reply
Solved! Jump to solution

VsplunkV
Explorer
‎02-21-2018 02:52 PM

Thank you. It worked.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Customers Increasingly Choose Splunk for Observability

For the second year in a row, Splunk was recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for ...
li.common.scroll-to.top