How to display a single error in multiple inputs?

Dayalss · ‎06-13-2023

Hi ,

I have a search query -

| search Region = EMEA
| eval Status=case(Statistic=0,"Green" ,
Statistic=2,"Red",
Statistic=1,"Blue",
1==1, " " )
| appendpipe [ stats count | eval Status="Black" | where count=0 | fields - count]
| stats latest(Status)

The region has 7 SOD status data i.e. red and green. ,The issue is if one sod is in red state it is still showing green status.

What I require is even if there is a single red status it has to be picked and not the green one , as I am using it in a dashboard.

ITWhisperer · ‎06-13-2023

case function is evaluated left to right, so put your highest priority condition first

| eval Status=case(Statistic=2,"Red",
Statistic=1,"Blue",
Statistic=0,"Green" ,
1==1, " " )

Dayalss · ‎06-13-2023

Tried it , but still its showing green

ITWhisperer · ‎06-13-2023

Please share some sample events (anonymised as necessary) in a code block </> so we can see what you are dealing with.

How to display a single error in multiple inputs?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation

How to display a single error in multiple inputs?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability