Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to table results with multiple evals?

aohls
Contributor
‎03-08-2023 12:30 PM

I have a search where I have multiple evals to check if items are true of false. With my results I want to show something like:

Search Triggered Scheduled Test
TestAlert1

True

 True True

 

Currently what I am getting is something like this:

Search Triggered Scheduled Test
TestAlert1 True False False
TestAlert1 False True False
TestAlert1 False False True

I am thinking I need to use xyseries chart but am not sure.

Labels (2)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎03-08-2023 02:19 PM

I assume that you are saying that if a search has True anywhere, then it's True, otherwise false.

You could do something like

| stats values(*) as * by Search
| foreach * [ eval <<FIELD>>=if(isnotnull(mvfind(<<FIELD>>, "True")), "True", "False") ]

but you could also set values to 1 and 0 for True/False and then do

| stats max(*) as * by Search
| foreach Triggered	Scheduled Test [ eval <<FIELD>>=if(<<FIELD>>=1, "True", "False") ]
0 Karma
Reply
Get Updates on the Splunk Community!

Happy CX Day, Splunk Community!

Happy CX Day, Splunk Community! CX stands for Customer Experience, and today, October 3rd, is CX Day — a ...

Splunk Observability Cloud | Customer Survey!

If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...