Splunk Search

Rag status using if/case

codedtech
Path Finder

Hello Everyone,

I have a really simple question but I can'f figure it out for the life of me.  I have a query set up that gives me the utilization of an array, and I want to have a text based field for its RAG status.  This is what I'm using 

| eval RAG=(Class='DB' AND Utilization >= 62, "Red", Utilization >= 50, "Yellow", Utilization < 40, "Green")

I've tried to run it and I keep getting the eval statement is malformed error.  Any help you can give would be appreciated. 

Labels (1)
0 Karma

Nisha18789
Builder

hi @codedtech , try this

| eval RAG=case(Class='DB' AND Utilization >= 62, "Red", Utilization >= 50, "Yellow", Utilization < 40, "Green",1=1,"Unmatched")

0 Karma

codedtech
Path Finder

@Nisha18789  Thank you so much, that helped a ton. My next question is how do I get it to build off a list for all of these?

class

Green

Yellow

Red

DB

<60.0

>=68.0

>=75.0

WEB

<55.0

>=63.0

>=93.0

APP

<50.0

>=80.0

>=90.0

ZFS

<45.0

>=66.0

>=85.0

 

0 Karma

Nisha18789
Builder

Hi @codedtech you can use chart command as below after the case statement, in place of values() function you can use any other function that suits your requirement.

 

| chart values(utilization) over RAG by Class


hope this helps, please upvote or mark my previous post as solution is that answered your original question.

0 Karma

laurag
New Member

I am also trying to classify a RAG status which has different RAG cut-offs per "Class" such as displayed in the table from @codedtech , would each rule need to be stated in the "case" statement before using the chart command?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

It looks like you're trying to use a case statement without including the "case" keyword.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...