Solved: How to count and compare & produce the output ?

georgear7 · ‎06-09-2020

I have the below table from the mentioned query.

sourcetype=abc source=*restart.log
| rex field=_raw "server (?<JVM>\w+.*APP).......etc....(to grep the JVM & status, i have used 'rex' command)
| rex field=source "/applications(?<Request>\d+)/\w+.*"
| table host,Request,JVM,Status
| dedup host,Request,JVM,Status

host Request JVM Status
host1 46742 A1_APP started
host1 46742 A2_APP started
host2 46742 B1_APP started
host2 46742 B2_APP failed
host1 27598 C1_APP started
host2 27598 D1_APP started
host1 27598 C2_APP started

From the above table, I want my query to search whether all the JVM's present in 'Request' got started or not...JVM numbers will wary..If all JVM's got restarted, my final output should be success..else it should be 'Failure' even if any of the JVM was not started...

Output should be like below:
Request Result
46742 Failure
27598 Success

rnowitzki · ‎06-10-2020

Hi,

This should do it. You might want to add some error handling (when there is no status given for a Request - if that can happen in your data).

| stats values(Status) as Status by Request
| eval Result = if(mvfilter(match("failed", Status))="failed", "Failure", "Success")
| fields - Status

--
Karma and/or Solution tagging appreciated.

View solution in original post

rnowitzki · ‎06-10-2020

Hi,

This should do it. You might want to add some error handling (when there is no status given for a Request - if that can happen in your data).

| stats values(Status) as Status by Request
| eval Result = if(mvfilter(match("failed", Status))="failed", "Failure", "Success")
| fields - Status

--
Karma and/or Solution tagging appreciated.

georgear7 · ‎06-17-2020

@rnowitzki This is working fine, thank you.

How to count and compare & produce the output ?

table

Admin Your Splunk Cloud, Your Way

Cloud Platform | Discontinuing support for TLS version 1.0 and 1.1

New Customer Testimonials