Splunk Search

How to write a search to return "PASS" if all search results for a field are PASS or PARTIAL_PASS, but return "FAIL" if at least one result is FAIL?

milande
Path Finder

Hi,

I have data in Splunk DB which could be presented with this simplified table (real table has about 100 lines):

Test_Name......Test_Result
test_1................PASS
test_2................FAIL
test_3................PARTIAL_PASS

I need help in creating search string in Splunk which would give me the final result (in statistic tab) with the following logic:
Final result: PASS if all Test_Result(s) were PASS or PARTIAL_PASS
Final result: FAIL if at least one Test_Result were FAIL

how search string should look like ?

cheers,
Milan

Tags (4)
1 Solution

ramdaspr
Contributor
... | stats count(eval(Test_Result="Fail")) as failed, count(eval(Test_Result!="Fail")) as notfailed | eval Final_Result=if(failed>0,"Fail",if(notfailed>0,"Passed","NA")) | table Final_Result

This will give a single row with fail if it finds even a single record of fail and calls them pass otherwise i.e. any not marked Fail are considered passed.

View solution in original post

ramdaspr
Contributor
... | stats count(eval(Test_Result="Fail")) as failed, count(eval(Test_Result!="Fail")) as notfailed | eval Final_Result=if(failed>0,"Fail",if(notfailed>0,"Passed","NA")) | table Final_Result

This will give a single row with fail if it finds even a single record of fail and calls them pass otherwise i.e. any not marked Fail are considered passed.

dwaddle
SplunkTrust
SplunkTrust

Let's approach it mathematically...

| eval numerical_result = case ( Test_Result = "PASS", 1 , Test_Result="PARTIAL_PASS", 2 , Test_Result="FAIL" , 3 , 1=1, 0 )
| stats max(numerical_result) as numerical_result
| eval result = case ( numerial_result = 1, "PASS", numerical_result =2, "PARTIAL_PASS", numerical_result = 3 , "FAIL" ,  1=1, "UNKNOWN" )

So we make up a numerical equivalent to your PASS / PARTIAL_PASS / FAIL concepts and use max() to hit your criteria. Then we have to re-convert from numerics back to a textual representation.

Maybe someone else has a better approach?

milande
Path Finder

@ dwaddle
you approach seems also OK but for a sake of "shortness" I choose answer from "ramdaspr".
Thanks dwaddle anyway!

0 Karma
Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...