Splunk Search

create a status field based on 3 separate avgs

Path Finder

I have a search that looks at the output of a few scripts and lets me know if they are not running. These scripts cover our data collection for the instance, from our data lake. For example if the asset script fails I like to see something in status field showing "Asset Collector broke!" in the status field. I want to create a status field to update for each scenario of the 3 different scenarios based on the avg number of results returned. This is what I tried so far in various forms, thanks for the help.

basesearch|stats avg(assets_collected) as ac avg(metrics_returned) as metrics avg(no_metrics) as not_returned
|eval status=case(ac==0, "Asset Collector broke!", assets==not_returned,"Cron Failure!",metrics==0,"Data Lake Failure!"
0 Karma

Builder

One way to do it is to create a field for each average you collect. This example populates a field if it satisfies the cases you put int your conditional, or leaves it null if not:

basesearch
| stats avg(assets_collected) as ac avg(metrics_returned) as metrics avg(no_metrics) as not_returned
| eval acStatus=if(ac==0, "Asset Collector broke!", null())
| eval metStatus=if(metrics==0,"Data Lake Failure!", null())
| eval notRetStatus=if(not_returned==0,"Cron Failure!",null())
0 Karma