Splunk Search

Reason field using multiple criteria

codedtech
Path Finder

Hello all,  I trying to get a reason field to generate based on field values as to why a system is showing up in a report.  This is the example of the where clause I'm using, that defines what I'm looking for.

| where
((system_class="Echo") AND ('Mem_Util'>=83 OR 'CPU_Util'>=83 OR 'Mem_Al'>=100 OR 'CPU_Al'>=110))

For example if I Mem_Util is the reason it shows up on the report,  I want a reason field to display at the end of the output that says Memory Util.  What makes it more interesting is that I have 5 different system_classes  with 5 different levels of of values for each of the 4 metrics.

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

It might be the size of the case/eval. You could split it into parts and re-evaluate the parts

 

| eval reason_echo=if(system_class="Echo", case('Mem_Util'>=83 "Mem_util", 'CPU_Util'>=83, "CPU_Util", 'Mem_Al'>=100, "Mem_Al" ..., 1=1, NULL()), NULL())
| eval reason_class2=if(system_class="Class2", case('Mem_Util'>=83 "Mem_util", 'CPU_Util'>=83, "CPU_Util", 'Mem_Al'>=100, "Mem_Al" ..., 1=1, NULL()), NULL())
...
| eval reason=coalesce(reason_echo, reason_class2,...

 

So, if the if condition is false, or case does not find a match, the value is set to NULL() so coalesce will move on to the next reason code

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

You could have a large case statement

| eval reason=case((system_class="Echo" AND 'Mem_Util'>=83), "Mem_util", (system_class="Echo" AND 'CPU_Util'>=83 ), "CPU_Util", (system_class="Echo" AND 'Mem_Al'>=100), "Mem_Al" ...
0 Karma

codedtech
Path Finder

I can get one group values fine, but when I add another set of values, the eval command gets malformed.  

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

It might be the size of the case/eval. You could split it into parts and re-evaluate the parts

 

| eval reason_echo=if(system_class="Echo", case('Mem_Util'>=83 "Mem_util", 'CPU_Util'>=83, "CPU_Util", 'Mem_Al'>=100, "Mem_Al" ..., 1=1, NULL()), NULL())
| eval reason_class2=if(system_class="Class2", case('Mem_Util'>=83 "Mem_util", 'CPU_Util'>=83, "CPU_Util", 'Mem_Al'>=100, "Mem_Al" ..., 1=1, NULL()), NULL())
...
| eval reason=coalesce(reason_echo, reason_class2,...

 

So, if the if condition is false, or case does not find a match, the value is set to NULL() so coalesce will move on to the next reason code

Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Request for Professional Development: Attending .conf26

Winning Over the Boss: Your Pass to .conf26 conf26 is going to be here before you know it. If don't already ...