Re: CASE and MATCH function

syazwani · ‎04-21-2022

Hi peeps,

I need help to fine tune this query;

index=network sourcetype=ping
| eval pingsuccess=case(match(ping_status, "succeeded"), Number)

Basically, I want to create a new field for ping success that will show the event count as values.

Please help.

gcusello · ‎04-21-2022

Hi @syazwani,

let me understand: what are the values of ping_status?

if they are only "succeded" and "failed", you don't need anything:

index=network sourcetype=ping
| stats count BY ping_status

if you have more values for ping_status that you want to aggregate you could use if or case functions:

index=network sourcetype=ping
| eval pingsuccess=if(ping_status="succeeded"), "succeeded","failed")
| stats count BY pingsuccess

Ciao.

Giuseppe

syazwani · ‎04-21-2022

Thank you for your reply. I want to create a base search for ITSI KPI configuration. That's why I need it to be extracted and create a single field for it.

gcusello · ‎04-21-2022

Hi @syazwani,

using my hint are you able to create the field?

otherwise, could you describe some sample of the values of the ping_status field?

Ciao.

Giuseppe

How to write search with CASE and MATCH function?

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

Splunk Community Badges!

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Are you a member of the Splunk Community?

How to write search with CASE and MATCH function?

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

Splunk Community Badges!

What You Read The Most: Splunk Lantern’s Most Popular Articles!