Require Splunk query

khursheed · ‎09-28-2021

Hi

Below data is dynamic, sample input table is given below, rows are order may vary (for simplicity I have put the data in order to understand easily).

Input:

Feature Name	Browser Name	Result
Feature 1	B1	Pass
Feature 1	B1	Pass
Feature 1	B1	Pass
Feature 1	B1	Pass
Feature 1	B2	Fail
Feature 1	B2	Pass
Feature 1	B2	Pass
Feature 1	B2	Pass
Feature 1	B3	Pass
Feature 1	B3	Pass
Feature 1	B3	Pass
Feature 1	B3	Fail
Feature 1	B4	Pass
Feature 1	B4	Pass
Feature 1	B4	Fail
Feature 1	B4	Pass

Based on the above input table, output needs to be generated as listed below. Cumulative result needs to be generated based on the browser name and result for each feature. If any one of result fails on particular a browser, feature is considered failed.

Output:

Feature 1	B1	Pass
Feature 1	B2	Fail
Feature 1	B3	Fail
Feature 1	B4	Fail

Would you please help me to generate expected output as listed.

somesoni2 · ‎09-28-2021

Try something like this

Your Base search fetching fields "Feature Name","Browser Name",Result
| stats count(eval(Result="Fail")) as Result by "Feature Name","Browser Name"
| eval Result=if(Result>0,"Fail","Pass")

ITWhisperer · ‎09-28-2021

| stats values(Result) as Result by 'Browser Name' 'Feature Name'
| eval Result=mvindex(Result,0)

Require Splunk query

eval

other

stats

table

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Using Machine Learning for Hunting Security Threats

Observability Newsletter Highlights | March 2023