Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Looping if condition in for loop and display different tables

k_harini
Communicator
‎01-21-2017 07:52 PM

I have a table with 10 records. 2 rows for each host - say AUX0001 to AUX0005. For each host, 2 processes occur: the status and time range. AUX0001 disp.exe abcded green running , AUX0001 wxze.exe red running. In this way it is present for all the hosts..
My requirement - if both processes are green, host should display only once for disp.exe. if both are red, then both processes should be displayed. If one is green and one is red , it should be red with that process name be it disp.exe or wxze.exe. This looks simple. but unable to achieve this.

I tried several ways - Should i have to loop for each host? I'm not getting the desired result.

index="xxx" sourcetype="yy" |fields name description dispstatus textstatus starttime elapsedtime pid source|eval host_source = mvindex(split(source,"\\"),5)|eventstats count(eval(dispstatus="Green")) as green_count  count(eval(dispstatus="Red")) as red_count by host_source|eval desc_test = case(green_count ==2 OR red_count ==2,"Dispatcher", red_count ==1 AND description="watchdog" ,"watch", red_count ==1 AND description=" Dispatcher " ," Dispatcher ")|table host_source description dispstatus desc_test|where description=desc_test

Can someone please help me here? Thanks a lot

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎01-21-2017 08:27 PM 
STATUS           DISPLAY     
DISP   WATCH     DISP   WATCH   
GREEN  GREEN     GREEN 
GREEN  RED              RED
RED    GREEN     RED   
RED    RED       RED    RED

okay, if either process is red, then that process should display. On the other hand, if both processes are green, then DISP should show green.

Try this for test code - 

index="xxx" sourcetype="yy" 
| fields name description dispstatus textstatus starttime elapsedtime pid source
| eval host_source = mvindex(split(source,"\\"),5)
| eventstats count(eval(dispstatus="Green")) as green_count by host_source
| eval desc_test = If( (dispstatus="Red") OR (green_count==2 AND description=" Dispatcher "),"Pass","Block")
| table host_source description dispstatus desc_test
| sort 0 host_source description

If those results seem right, then use this for the actual code

index="xxx" sourcetype="yy" 
| fields name description dispstatus textstatus starttime elapsedtime pid source
| eval host_source = mvindex(split(source,"\\"),5)
| eventstats count(eval(dispstatus="Green")) as green_count by host_source
| search (dispstatus="Red") OR (green_count==2 AND description=" Dispatcher ")
| table host_source description dispstatus
| sort 0 host_source description

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎01-21-2017 08:27 PM 
STATUS           DISPLAY     
DISP   WATCH     DISP   WATCH   
GREEN  GREEN     GREEN 
GREEN  RED              RED
RED    GREEN     RED   
RED    RED       RED    RED

okay, if either process is red, then that process should display. On the other hand, if both processes are green, then DISP should show green.

Try this for test code - 

index="xxx" sourcetype="yy" 
| fields name description dispstatus textstatus starttime elapsedtime pid source
| eval host_source = mvindex(split(source,"\\"),5)
| eventstats count(eval(dispstatus="Green")) as green_count by host_source
| eval desc_test = If( (dispstatus="Red") OR (green_count==2 AND description=" Dispatcher "),"Pass","Block")
| table host_source description dispstatus desc_test
| sort 0 host_source description

If those results seem right, then use this for the actual code

index="xxx" sourcetype="yy" 
| fields name description dispstatus textstatus starttime elapsedtime pid source
| eval host_source = mvindex(split(source,"\\"),5)
| eventstats count(eval(dispstatus="Green")) as green_count by host_source
| search (dispstatus="Red") OR (green_count==2 AND description=" Dispatcher ")
| table host_source description dispstatus
| sort 0 host_source description
0 Karma
Reply
Solved! Jump to solution

k_harini
Communicator
‎01-22-2017 02:31 AM

Thanks so much for your response.. I tried this.. it worked.. instead of green_count = 2 , I gave dispstatus = green, 1 green process also got displayed along with red ones.. Thanks a lot.. I got confused..

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎01-23-2017 06:49 AM

You're welcome.

The little results chart I made helped me simplify the question. There was only one condition that ever showed green (green==2), so from there it was easy.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...