Re: Require Splunk query

khursheed · ‎09-28-2021

Hi

Below data is dynamic, sample input table is given below, rows are order may vary (for simplicity I have put the data in order to understand easily).

Input:

Feature Name	Browser Name	Result
Feature 1	B1	Pass
Feature 1	B1	Pass
Feature 1	B1	Pass
Feature 1	B1	Pass
Feature 1	B2	Fail
Feature 1	B2	Pass
Feature 1	B2	Pass
Feature 1	B2	Pass
Feature 1	B3	Pass
Feature 1	B3	Pass
Feature 1	B3	Pass
Feature 1	B3	Fail
Feature 1	B4	Pass
Feature 1	B4	Pass
Feature 1	B4	Fail
Feature 1	B4	Pass

Based on the above input table, output needs to be generated as listed below. Cumulative result needs to be generated based on the browser name and result for each feature. If any one of result fails on particular a browser, feature is considered failed.

Output:

Feature 1	B1	Pass
Feature 1	B2	Fail
Feature 1	B3	Fail
Feature 1	B4	Fail

Would you please help me to generate expected output as listed.

somesoni2 · ‎09-28-2021

Try something like this

Your Base search fetching fields "Feature Name","Browser Name",Result
| stats count(eval(Result="Fail")) as Result by "Feature Name","Browser Name"
| eval Result=if(Result>0,"Fail","Pass")

ITWhisperer · ‎09-28-2021

| stats values(Result) as Result by 'Browser Name' 'Feature Name'
| eval Result=mvindex(Result,0)

Require Splunk query

eval

stats

table

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Join the Conversation