How to write search with CASE and MATCH function?

syazwani · ‎04-21-2022

Hi peeps,

I need help to fine tune this query;

index=network sourcetype=ping
| eval pingsuccess=case(match(ping_status, "succeeded"), Number)

Basically, I want to create a new field for ping success that will show the event count as values.

Please help.

gcusello · ‎04-21-2022

Hi @syazwani,

let me understand: what are the values of ping_status?

if they are only "succeded" and "failed", you don't need anything:

index=network sourcetype=ping
| stats count BY ping_status

if you have more values for ping_status that you want to aggregate you could use if or case functions:

index=network sourcetype=ping
| eval pingsuccess=if(ping_status="succeeded"), "succeeded","failed")
| stats count BY pingsuccess

Ciao.

Giuseppe

syazwani · ‎04-21-2022

Thank you for your reply. I want to create a base search for ITSI KPI configuration. That's why I need it to be extracted and create a single field for it.

gcusello · ‎04-21-2022

Hi @syazwani,

using my hint are you able to create the field?

otherwise, could you describe some sample of the values of the ping_status field?

Ciao.

Giuseppe

How to write search with CASE and MATCH function?

other

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)