Splunk Search

How to write a search to return "PASS" if all search results for a field are PASS or PARTIAL_PASS, but return "FAIL" if at least one result is FAIL?

milande
Path Finder

Hi,

I have data in Splunk DB which could be presented with this simplified table (real table has about 100 lines):

Test_Name......Test_Result
test_1................PASS
test_2................FAIL
test_3................PARTIAL_PASS

I need help in creating search string in Splunk which would give me the final result (in statistic tab) with the following logic:
Final result: PASS if all Test_Result(s) were PASS or PARTIAL_PASS
Final result: FAIL if at least one Test_Result were FAIL

how search string should look like ?

cheers,
Milan

Tags (4)
1 Solution

ramdaspr
Contributor
... | stats count(eval(Test_Result="Fail")) as failed, count(eval(Test_Result!="Fail")) as notfailed | eval Final_Result=if(failed>0,"Fail",if(notfailed>0,"Passed","NA")) | table Final_Result

This will give a single row with fail if it finds even a single record of fail and calls them pass otherwise i.e. any not marked Fail are considered passed.

View solution in original post

ramdaspr
Contributor
... | stats count(eval(Test_Result="Fail")) as failed, count(eval(Test_Result!="Fail")) as notfailed | eval Final_Result=if(failed>0,"Fail",if(notfailed>0,"Passed","NA")) | table Final_Result

This will give a single row with fail if it finds even a single record of fail and calls them pass otherwise i.e. any not marked Fail are considered passed.

dwaddle
SplunkTrust
SplunkTrust

Let's approach it mathematically...

| eval numerical_result = case ( Test_Result = "PASS", 1 , Test_Result="PARTIAL_PASS", 2 , Test_Result="FAIL" , 3 , 1=1, 0 )
| stats max(numerical_result) as numerical_result
| eval result = case ( numerial_result = 1, "PASS", numerical_result =2, "PARTIAL_PASS", numerical_result = 3 , "FAIL" ,  1=1, "UNKNOWN" )

So we make up a numerical equivalent to your PASS / PARTIAL_PASS / FAIL concepts and use max() to hit your criteria. Then we have to re-convert from numerics back to a textual representation.

Maybe someone else has a better approach?

milande
Path Finder

@ dwaddle
you approach seems also OK but for a sake of "shortness" I choose answer from "ramdaspr".
Thanks dwaddle anyway!

0 Karma
Get Updates on the Splunk Community!

Splunk Education - Fast Start Program!

Welcome to Splunk Education! Splunk training programs are designed to enable you to get started quickly and ...

Five Subtly Different Ways of Adding Manual Instrumentation in Java

You can find the code of this example on GitHub here. Please feel free to star the repository to keep in ...

New Splunk APM Enhancements Help Troubleshoot Your MySQL and NoSQL Databases Faster

Splunk Observability has two new enhancements to make it quicker and easier to troubleshoot slow or frequently ...