Re: CASE and MATCH function

syazwani · ‎04-21-2022

Hi peeps,

I need help to fine tune this query;

index=network sourcetype=ping
| eval pingsuccess=case(match(ping_status, "succeeded"), Number)

Basically, I want to create a new field for ping success that will show the event count as values.

Please help.

gcusello · ‎04-21-2022

Hi @syazwani,

let me understand: what are the values of ping_status?

if they are only "succeded" and "failed", you don't need anything:

index=network sourcetype=ping
| stats count BY ping_status

if you have more values for ping_status that you want to aggregate you could use if or case functions:

index=network sourcetype=ping
| eval pingsuccess=if(ping_status="succeeded"), "succeeded","failed")
| stats count BY pingsuccess

Ciao.

Giuseppe

syazwani · ‎04-21-2022

Thank you for your reply. I want to create a base search for ITSI KPI configuration. That's why I need it to be extracted and create a single field for it.

gcusello · ‎04-21-2022

Hi @syazwani,

using my hint are you able to create the field?

otherwise, could you describe some sample of the values of the ping_status field?

Ciao.

Giuseppe

How to write search with CASE and MATCH function?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Monitoring AI Agents with Splunk Observability Cloud

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Join the Conversation