Hello all, I trying to get a reason field to generate based on field values as to why a system is showing up in a report. This is the example of the where clause I'm using, that defines what I'm looking for.
| where
((system_class="Echo") AND ('Mem_Util'>=83 OR 'CPU_Util'>=83 OR 'Mem_Al'>=100 OR 'CPU_Al'>=110))
For example if I Mem_Util is the reason it shows up on the report, I want a reason field to display at the end of the output that says Memory Util. What makes it more interesting is that I have 5 different system_classes with 5 different levels of of values for each of the 4 metrics.
It might be the size of the case/eval. You could split it into parts and re-evaluate the parts
| eval reason_echo=if(system_class="Echo", case('Mem_Util'>=83 "Mem_util", 'CPU_Util'>=83, "CPU_Util", 'Mem_Al'>=100, "Mem_Al" ..., 1=1, NULL()), NULL())
| eval reason_class2=if(system_class="Class2", case('Mem_Util'>=83 "Mem_util", 'CPU_Util'>=83, "CPU_Util", 'Mem_Al'>=100, "Mem_Al" ..., 1=1, NULL()), NULL())
...
| eval reason=coalesce(reason_echo, reason_class2,...
So, if the if condition is false, or case does not find a match, the value is set to NULL() so coalesce will move on to the next reason code
You could have a large case statement
| eval reason=case((system_class="Echo" AND 'Mem_Util'>=83), "Mem_util", (system_class="Echo" AND 'CPU_Util'>=83 ), "CPU_Util", (system_class="Echo" AND 'Mem_Al'>=100), "Mem_Al" ...
I can get one group values fine, but when I add another set of values, the eval command gets malformed.
It might be the size of the case/eval. You could split it into parts and re-evaluate the parts
| eval reason_echo=if(system_class="Echo", case('Mem_Util'>=83 "Mem_util", 'CPU_Util'>=83, "CPU_Util", 'Mem_Al'>=100, "Mem_Al" ..., 1=1, NULL()), NULL())
| eval reason_class2=if(system_class="Class2", case('Mem_Util'>=83 "Mem_util", 'CPU_Util'>=83, "CPU_Util", 'Mem_Al'>=100, "Mem_Al" ..., 1=1, NULL()), NULL())
...
| eval reason=coalesce(reason_echo, reason_class2,...
So, if the if condition is false, or case does not find a match, the value is set to NULL() so coalesce will move on to the next reason code