Splunk Search

How to use eval with If ,AND

Gaya3_devi
Explorer

Hello Splunkers,
I have the following query returning the search results,

index="demo1"
| search "metrics.job.overall_status"="FAILED" OR "metrics.job.overall_status"="PASSED" metrics.app="*"
| eval timestamp=strftime(floor('metrics.job.end_ts'), "%Y-%m-%d %H:%M:%S")
| sort 0 metrics.app timestamp
| streamstats current=f last(metrics.job.overall_status) as prev_status last(timestamp) as prev_timestamp by metrics.app
| fillnull value="NONE" prev_status
| fillnull value="NONE" prev_timestamp
| eval failed_timestamp=if(metrics.job.overall_status="FAILED" AND (prev_status="NONE" OR prev_status!="FAILED"), timestamp, null())
| table metrics.app, metrics.job.overall_status, prev_status, timestamp, prev_timestamp,failed_timestamp

The result is null in every entry. What is wrong?
even though there are FAILED status with the above specified conditions but the failed_timestamp results are null()
can anyone please share how to correct this...

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Splunk can get confused by the dot operator as it can separate parts of a field name, components of a JSON field, or represent concatenation.  To help eliminate the confusion try renaming fields to name that do not contain dots or put single quotes around the field names.

---
If this reply helps you, Karma would be appreciated.
0 Karma

Gaya3_devi
Explorer

Thank you so much ....That's working

richgalloway
SplunkTrust
SplunkTrust

If your problem is resolved, then please click the "Accept as Solution" button to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...