create a status field based on 3 separate avgs

codedtech · ‎04-21-2020

I have a search that looks at the output of a few scripts and lets me know if they are not running. These scripts cover our data collection for the instance, from our data lake. For example if the asset script fails I like to see something in status field showing "Asset Collector broke!" in the status field. I want to create a status field to update for each scenario of the 3 different scenarios based on the avg number of results returned. This is what I tried so far in various forms, thanks for the help.

basesearch|stats avg(assets_collected) as ac avg(metrics_returned) as metrics avg(no_metrics) as not_returned
|eval status=case(ac==0, "Asset Collector broke!", assets==not_returned,"Cron Failure!",metrics==0,"Data Lake Failure!"

jpolvino · ‎04-21-2020

One way to do it is to create a field for each average you collect. This example populates a field if it satisfies the cases you put int your conditional, or leaves it null if not:

basesearch
| stats avg(assets_collected) as ac avg(metrics_returned) as metrics avg(no_metrics) as not_returned
| eval acStatus=if(ac==0, "Asset Collector broke!", null())
| eval metStatus=if(metrics==0,"Data Lake Failure!", null())
| eval notRetStatus=if(not_returned==0,"Cron Failure!",null())

create a status field based on 3 separate avgs

Transforming Financial Data into Fraud Intelligence

How to send events & findings from AWS to Splunk using Amazon EventBridge

Exciting News: The AppDynamics Community Joins Splunk!

Are you a member of the Splunk Community?

create a status field based on 3 separate avgs

Transforming Financial Data into Fraud Intelligence

How to send events & findings from AWS to Splunk using Amazon EventBridge

Exciting News: The AppDynamics Community Joins Splunk!