Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to compare multiple fields?

Kwip
Contributor
‎04-19-2018 10:37 AM

Hi All,
I want to compare three fields value(may be) to arrive at new field. (mentioned 3 as it may require to compare the actual start time with expected start time and current time)

I am having some fields from my look up. Job_Name and expected_start_time. And I am calculating the actual_start_time from the search query result.

So I want to create a new field like Status which tells me whether the job started on time or it is delayed or Expected start time not yet arrived.

Below is the sample output i am looking for. Consider the current time is 13:10

Job_Name Expected_start_time Actual_Start_Time Status
1a         08.30              10.00             Late start
1b         10.00              09:00             Started Earlier 
1c         13:00              --                Not yet started on the expected start time
1d         18:00              --                Waiting for the expected start time
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎04-19-2018 12:03 PM

Assuming you've done the lookup to get fields Job_Name Expected_start_time and Actual_Start_Time in your search results, try something like this

your current search giving fields  Job_Name Expected_start_time and Actual_Start_Time
| eval epochExpected=strptime(Expected_start_time,"%H:%M") | eval epochActual=strptime(Actual_Start_Time,"%H:%M")
| eval Status=case(isnotnull(epochActual) AND epochActual>epochExpected,"Late start",   
isnotnull(epochActual) AND epochActual=epochExpected ,"On time start",
 isnotnull(epochActual) AND epochActual<epochExpected, "Started earlier", 
isnull(epochActual) AND epochExpected<now(), "Not yet started on the expected start time", 
isnull(epochActual) AND epochExpected>now(), "Waiting for the expected start time", true(),"Undefined")
| fields - epoch*

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎04-19-2018 12:03 PM

Assuming you've done the lookup to get fields Job_Name Expected_start_time and Actual_Start_Time in your search results, try something like this

your current search giving fields  Job_Name Expected_start_time and Actual_Start_Time
| eval epochExpected=strptime(Expected_start_time,"%H:%M") | eval epochActual=strptime(Actual_Start_Time,"%H:%M")
| eval Status=case(isnotnull(epochActual) AND epochActual>epochExpected,"Late start",   
isnotnull(epochActual) AND epochActual=epochExpected ,"On time start",
 isnotnull(epochActual) AND epochActual<epochExpected, "Started earlier", 
isnull(epochActual) AND epochExpected<now(), "Not yet started on the expected start time", 
isnull(epochActual) AND epochExpected>now(), "Waiting for the expected start time", true(),"Undefined")
| fields - epoch*
Reply
Solved! Jump to solution

Kwip
Contributor
‎04-19-2018 08:26 PM

Wonderful @somesoni2. Thank you very much!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...