Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to compare multiple fields?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
I want to compare three fields value(may be) to arrive at new field. (mentioned 3 as it may require to compare the actual start time with expected start time and current time)
I am having some fields from my look up. Job_Name and expected_start_time. And I am calculating the actual_start_time from the search query result.
So I want to create a new field like Status which tells me whether the job started on time or it is delayed or Expected start time not yet arrived.
Below is the sample output i am looking for. Consider the current time is 13:10
Job_Name Expected_start_time Actual_Start_Time Status
1a 08.30 10.00 Late start
1b 10.00 09:00 Started Earlier
1c 13:00 -- Not yet started on the expected start time
1d 18:00 -- Waiting for the expected start time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming you've done the lookup to get fields Job_Name Expected_start_time and Actual_Start_Time in your search results, try something like this
your current search giving fields Job_Name Expected_start_time and Actual_Start_Time
| eval epochExpected=strptime(Expected_start_time,"%H:%M") | eval epochActual=strptime(Actual_Start_Time,"%H:%M")
| eval Status=case(isnotnull(epochActual) AND epochActual>epochExpected,"Late start",
isnotnull(epochActual) AND epochActual=epochExpected ,"On time start",
isnotnull(epochActual) AND epochActual<epochExpected, "Started earlier",
isnull(epochActual) AND epochExpected<now(), "Not yet started on the expected start time",
isnull(epochActual) AND epochExpected>now(), "Waiting for the expected start time", true(),"Undefined")
| fields - epoch*
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming you've done the lookup to get fields Job_Name Expected_start_time and Actual_Start_Time in your search results, try something like this
your current search giving fields Job_Name Expected_start_time and Actual_Start_Time
| eval epochExpected=strptime(Expected_start_time,"%H:%M") | eval epochActual=strptime(Actual_Start_Time,"%H:%M")
| eval Status=case(isnotnull(epochActual) AND epochActual>epochExpected,"Late start",
isnotnull(epochActual) AND epochActual=epochExpected ,"On time start",
isnotnull(epochActual) AND epochActual<epochExpected, "Started earlier",
isnull(epochActual) AND epochExpected<now(), "Not yet started on the expected start time",
isnull(epochActual) AND epochExpected>now(), "Waiting for the expected start time", true(),"Undefined")
| fields - epoch*
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wonderful @somesoni2. Thank you very much!
[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events
Enter the Agentic Era with Splunk AI Assistant for SPL 1.4
Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...
