Hello
Greetings!
i have data in the following way
Device Processor status
01 Splunkd Running
01 Sql Stopped
01 Python Stopped
02 Spluknd. Stopped
In the above output for a device if state is running of atleast on processor need to consider it as online otherwise offline can you please help me with query.
Thank you in advance
Happy splunking!
Thanks for reply
sorry my bad It's actually output.Considering the down output have Device 01 and 02 with Processors and Status
For device atleast one processor status is in running state should consider as online otherwise offline.
in device 01 we have 3 processors out of 2 are in status running.as per condition if one is in running state we need take 01 as online.
Need query for this
Device | Processor | status |
01 | splunkd | running |
01 | sql | stopped |
01 | python | running |
02 | splunkd | stopped |
I'm not sure if I understand this. If you already have all the fields, a simple filter like '| where status == "Running"' should suffice, e.g.,
| where status == "Running"
| dedup Device status
Your sample data will give
Device | Processor | status |
01 | Sql | Running |
Or is the requirement to output a string "online" or "offline" for each device? To do that
| stats values(status) by Device
| eval online_or_not = if('values(status)' == "Running", "online", "offline")
With this, your sample data will give
Device | values(status) | online_or_not |
01 | Running Stopped | online |
02 | Stopped | offline |