Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to chooose one value based on applying conditions to table column

Naga
Engager
‎10-06-2020 01:21 AM

I have a table like below. Which plots different services under one column Service A (Subservices - A1 to A5) / Service B (Subservices - B1 to B5) .  I need to take a new column denotes one Final Status like this if any of one Status is RED then the final status is RED, If there is no RED but one YELLOW And many GREEN then final status if YELLOW. What will be the best condition i can use to achieve the final one result

ServiceStatus
A1GREEN
A2RED
A3YELLOW
A4 GREEN
A5GREEN
Labels (1)
Labels
Tags (1)
0 Karma
Reply

renjith_nair
Legend
‎10-06-2020 01:38 AM

Try

 

|eventstats values(Status) as StatusList by Parent
|eval FinalStatus=case(isnotnull(mvfind(StatusList,"RED")),"RED",isnotnull(mvfind(StatusList,"YELLOW")),"YELLOW",isnotnull(mvfind(StatusList,"GREEN")),"GREEN",1==1,"NA")
|fields - StatusList

 

Here Parent is 'A'

Run anywhere example

 

|makeresults|eval Service="A1 A2 A3 A4 A5"|makemv Service|mvexpand Service
|appendcols [|makeresults | eval Status="GREEN RED YELLOW GREEN GREEN"|makemv Status|mvexpand Status]
|table Service, Status
|rex field=Service "(?<Parent>\D+)"
|eventstats values(Status) as StatusList by Parent
|eval FinalStatus=case(isnotnull(mvfind(StatusList,"RED")),"RED",isnotnull(mvfind(StatusList,"YELLOW")),"YELLOW",isnotnull(mvfind(StatusList,"GREEN")),"GREEN",1==1,"NA")
|fields - StatusList

 

Parent extraction is a simple rex for this dummy data and you should change based on actual data

You can replace eventstats with stats if you want only one status per service

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...