Splunk Search

## How to write a search to return "PASS" if all search results for a field are PASS or PARTIAL_PASS, but return "FAIL" if at least one result is FAIL?

Path Finder

Hi,

I have data in Splunk DB which could be presented with this simplified table (real table has about 100 lines):

Test_Name......Test_Result
test_1................PASS
test_2................FAIL
test_3................PARTIAL_PASS

I need help in creating search string in Splunk which would give me the final result (in statistic tab) with the following logic:
Final result: PASS if all Test_Result(s) were PASS or PARTIAL_PASS
Final result: FAIL if at least one Test_Result were FAIL

how search string should look like ?

cheers,
Milan

Tags (4)
1 Solution
Contributor
``````... | stats count(eval(Test_Result="Fail")) as failed, count(eval(Test_Result!="Fail")) as notfailed | eval Final_Result=if(failed>0,"Fail",if(notfailed>0,"Passed","NA")) | table Final_Result
``````

This will give a single row with fail if it finds even a single record of fail and calls them pass otherwise i.e. any not marked Fail are considered passed.

Contributor
``````... | stats count(eval(Test_Result="Fail")) as failed, count(eval(Test_Result!="Fail")) as notfailed | eval Final_Result=if(failed>0,"Fail",if(notfailed>0,"Passed","NA")) | table Final_Result
``````

This will give a single row with fail if it finds even a single record of fail and calls them pass otherwise i.e. any not marked Fail are considered passed.

SplunkTrust

Let's approach it mathematically...

``````| eval numerical_result = case ( Test_Result = "PASS", 1 , Test_Result="PARTIAL_PASS", 2 , Test_Result="FAIL" , 3 , 1=1, 0 )
| stats max(numerical_result) as numerical_result
| eval result = case ( numerial_result = 1, "PASS", numerical_result =2, "PARTIAL_PASS", numerical_result = 3 , "FAIL" ,  1=1, "UNKNOWN" )
``````

So we make up a numerical equivalent to your PASS / PARTIAL_PASS / FAIL concepts and use `max()` to hit your criteria. Then we have to re-convert from numerics back to a textual representation.

Maybe someone else has a better approach?

Path Finder

you approach seems also OK but for a sake of "shortness" I choose answer from "ramdaspr".

Get Updates on the Splunk Community!

#### Splunk Education - Fast Start Program!

Welcome to Splunk Education! Splunk training programs are designed to enable you to get started quickly and ...

#### Five Subtly Different Ways of Adding Manual Instrumentation in Java

You can find the code of this example on GitHub here. Please feel free to star the repository to keep in ...

#### New Splunk APM Enhancements Help Troubleshoot Your MySQL and NoSQL Databases Faster

Splunk Observability has two new enhancements to make it quicker and easier to troubleshoot slow or frequently ...