Solved: How to edit our search to output certain values ba...

splunker9999 · ‎05-25-2016

Hi,

We have a requirement to write a search:

We have a status(up,down,disabled,enabled),
1.If status is up or enabled, we have given value range of 10 and is OK(Green)
2.If status is down or disabled, we have given a range of 0 and is severe (RED).

Below is our basic search, but it currently only works if status is Up or down. Can someone help in enhancing this search such that we can update for 4 statuses? When Up OR ENABLED, it should be value 10...If Down OR DISABLED, it should be 0 (SEVERE).

index=f5 server1  monitor status | fillnull value="up" F5_TCPStatus | eval status=if(F5_MonitorStatus="up",10,0)|head 1 |appendpipe [ stats count | eval status=10 | where count==0 | fields - count ] | stats values(status) AS severity | rangemap field=severity severe=0-9 low=10-11 default=elevated

somesoni2 · ‎05-25-2016

Try like this

index=f5 server1  monitor status | head 1| fillnull value="up" F5_TCPStatus | eval status=if(F5_MonitorStatus="up" OR F5_MonitorStatus="enabled",10,0) |appendpipe [ stats count | eval status=10 | where count==0 | fields - count ] | stats values(status) AS severity | rangemap field=severity severe=0-9 low=10-11 default=elevated

View solution in original post

somesoni2 · ‎05-25-2016

Try like this

index=f5 server1  monitor status | head 1| fillnull value="up" F5_TCPStatus | eval status=if(F5_MonitorStatus="up" OR F5_MonitorStatus="enabled",10,0) |appendpipe [ stats count | eval status=10 | where count==0 | fields - count ] | stats values(status) AS severity | rangemap field=severity severe=0-9 low=10-11 default=elevated

splunker9999 · ‎05-31-2016

Thanks....

How to edit our search to output certain values based on a status field?

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Splunk Life | Happy Pride Month!

SplunkTrust | Where Are They Now - Michael Uschmann