How to write search with CASE and MATCH function?

syazwani · ‎04-21-2022

Hi peeps,

I need help to fine tune this query;

index=network sourcetype=ping
| eval pingsuccess=case(match(ping_status, "succeeded"), Number)

Basically, I want to create a new field for ping success that will show the event count as values.

Please help.

gcusello · ‎04-21-2022

Hi @syazwani,

let me understand: what are the values of ping_status?

if they are only "succeded" and "failed", you don't need anything:

index=network sourcetype=ping
| stats count BY ping_status

if you have more values for ping_status that you want to aggregate you could use if or case functions:

index=network sourcetype=ping
| eval pingsuccess=if(ping_status="succeeded"), "succeeded","failed")
| stats count BY pingsuccess

Ciao.

Giuseppe

syazwani · ‎04-21-2022

Thank you for your reply. I want to create a base search for ITSI KPI configuration. That's why I need it to be extracted and create a single field for it.

gcusello · ‎04-21-2022

Hi @syazwani,

using my hint are you able to create the field?

otherwise, could you describe some sample of the values of the ping_status field?

Ciao.

Giuseppe

How to write search with CASE and MATCH function?

Announcing the Expansion of the Splunk Academic Alliance Program

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Buttercup Games: Further Dashboarding Techniques (Part 7)