Splunk Search

How to compare multiple fields?

Kwip
Contributor

Hi All,
I want to compare three fields value(may be) to arrive at new field. (mentioned 3 as it may require to compare the actual start time with expected start time and current time)

I am having some fields from my look up. Job_Name and expected_start_time. And I am calculating the actual_start_time from the search query result.

So I want to create a new field like Status which tells me whether the job started on time or it is delayed or Expected start time not yet arrived.

Below is the sample output i am looking for. Consider the current time is 13:10

Job_Name Expected_start_time Actual_Start_Time Status
1a         08.30              10.00             Late start
1b         10.00              09:00             Started Earlier 
1c         13:00              --                Not yet started on the expected start time
1d         18:00              --                Waiting for the expected start time
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Assuming you've done the lookup to get fields Job_Name Expected_start_time and Actual_Start_Time in your search results, try something like this

your current search giving fields  Job_Name Expected_start_time and Actual_Start_Time
| eval epochExpected=strptime(Expected_start_time,"%H:%M") | eval epochActual=strptime(Actual_Start_Time,"%H:%M")
| eval Status=case(isnotnull(epochActual) AND epochActual>epochExpected,"Late start",   
isnotnull(epochActual) AND epochActual=epochExpected ,"On time start",
 isnotnull(epochActual) AND epochActual<epochExpected, "Started earlier", 
isnull(epochActual) AND epochExpected<now(), "Not yet started on the expected start time", 
isnull(epochActual) AND epochExpected>now(), "Waiting for the expected start time", true(),"Undefined")
| fields - epoch*

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Assuming you've done the lookup to get fields Job_Name Expected_start_time and Actual_Start_Time in your search results, try something like this

your current search giving fields  Job_Name Expected_start_time and Actual_Start_Time
| eval epochExpected=strptime(Expected_start_time,"%H:%M") | eval epochActual=strptime(Actual_Start_Time,"%H:%M")
| eval Status=case(isnotnull(epochActual) AND epochActual>epochExpected,"Late start",   
isnotnull(epochActual) AND epochActual=epochExpected ,"On time start",
 isnotnull(epochActual) AND epochActual<epochExpected, "Started earlier", 
isnull(epochActual) AND epochExpected<now(), "Not yet started on the expected start time", 
isnull(epochActual) AND epochExpected>now(), "Waiting for the expected start time", true(),"Undefined")
| fields - epoch*

Kwip
Contributor

Wonderful @somesoni2. Thank you very much!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...