Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to compare multiple fields?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
I want to compare three fields value(may be) to arrive at new field. (mentioned 3 as it may require to compare the actual start time with expected start time and current time)
I am having some fields from my look up. Job_Name and expected_start_time. And I am calculating the actual_start_time from the search query result.
So I want to create a new field like Status which tells me whether the job started on time or it is delayed or Expected start time not yet arrived.
Below is the sample output i am looking for. Consider the current time is 13:10
Job_Name Expected_start_time Actual_Start_Time Status
1a 08.30 10.00 Late start
1b 10.00 09:00 Started Earlier
1c 13:00 -- Not yet started on the expected start time
1d 18:00 -- Waiting for the expected start time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming you've done the lookup to get fields Job_Name Expected_start_time and Actual_Start_Time in your search results, try something like this
your current search giving fields Job_Name Expected_start_time and Actual_Start_Time
| eval epochExpected=strptime(Expected_start_time,"%H:%M") | eval epochActual=strptime(Actual_Start_Time,"%H:%M")
| eval Status=case(isnotnull(epochActual) AND epochActual>epochExpected,"Late start",
isnotnull(epochActual) AND epochActual=epochExpected ,"On time start",
isnotnull(epochActual) AND epochActual<epochExpected, "Started earlier",
isnull(epochActual) AND epochExpected<now(), "Not yet started on the expected start time",
isnull(epochActual) AND epochExpected>now(), "Waiting for the expected start time", true(),"Undefined")
| fields - epoch*
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming you've done the lookup to get fields Job_Name Expected_start_time and Actual_Start_Time in your search results, try something like this
your current search giving fields Job_Name Expected_start_time and Actual_Start_Time
| eval epochExpected=strptime(Expected_start_time,"%H:%M") | eval epochActual=strptime(Actual_Start_Time,"%H:%M")
| eval Status=case(isnotnull(epochActual) AND epochActual>epochExpected,"Late start",
isnotnull(epochActual) AND epochActual=epochExpected ,"On time start",
isnotnull(epochActual) AND epochActual<epochExpected, "Started earlier",
isnull(epochActual) AND epochExpected<now(), "Not yet started on the expected start time",
isnull(epochActual) AND epochExpected>now(), "Waiting for the expected start time", true(),"Undefined")
| fields - epoch*
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wonderful @somesoni2. Thank you very much!
Index This | What is broken 80% of the time by February?
Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...
Splunk MCP & Agentic AI: Machine Data Without Limits
