Re: Require Splunk query

khursheed · ‎09-28-2021

Hi

Below data is dynamic, sample input table is given below, rows are order may vary (for simplicity I have put the data in order to understand easily).

Input:

Feature Name	Browser Name	Result
Feature 1	B1	Pass
Feature 1	B1	Pass
Feature 1	B1	Pass
Feature 1	B1	Pass
Feature 1	B2	Fail
Feature 1	B2	Pass
Feature 1	B2	Pass
Feature 1	B2	Pass
Feature 1	B3	Pass
Feature 1	B3	Pass
Feature 1	B3	Pass
Feature 1	B3	Fail
Feature 1	B4	Pass
Feature 1	B4	Pass
Feature 1	B4	Fail
Feature 1	B4	Pass

Based on the above input table, output needs to be generated as listed below. Cumulative result needs to be generated based on the browser name and result for each feature. If any one of result fails on particular a browser, feature is considered failed.

Output:

Feature 1	B1	Pass
Feature 1	B2	Fail
Feature 1	B3	Fail
Feature 1	B4	Fail

Would you please help me to generate expected output as listed.

somesoni2 · ‎09-28-2021

Try something like this

Your Base search fetching fields "Feature Name","Browser Name",Result
| stats count(eval(Result="Fail")) as Result by "Feature Name","Browser Name"
| eval Result=if(Result>0,"Fail","Pass")

ITWhisperer · ‎09-28-2021

| stats values(Result) as Result by 'Browser Name' 'Feature Name'
| eval Result=mvindex(Result,0)

Require Splunk query

eval

stats

table

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Event Series: Telemetry Pipeline Management

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Join the Conversation