How to write a search that groups values to be use...

quietferret · ‎08-18-2022

Hi All,

I am new to Splunk and the SPL in general so I will try and explain as best I can. I have been tasked to produce an UP/DOWN dashboard to show different Microsoft Cloud services and their statuses. We are importing data from the Microsoft Service Health and can run searches on it. I am able to find each service (Microsoft Teams, Exchange Online, SharePoint Online etc) and their current status (up or down).

Now I need to show this in a dashboard but my manager wants to group the services in categories like, Core services, Productivity and Cloud Apps so that if a person navigates tot he dashboard they can click a dropdown and select the category then those services are displayed with their UP/DOWN status.

Any help would be much appreciated.

quietferret · ‎08-18-2022

Ok so I had the following:

index=azure source="ServiceAnnouncement.Issues" | sort 0 - _time | eval category = if(service = "Exchange Online" , "Core Service" , other)

But how can I do multiple if statements?

ITWhisperer · ‎08-18-2022

You probably need to eval a new field which categorises the services and then filter on those categories. You could use a case function or if functions to do the evaluation, or you could define and use a lookup to map the service to its category.

How to write a search that groups values to be used in a dropdown on a dashboard?

fields

lookup

stats

subsearch

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation