There are multiple methods to achieve this. However, lets first try it in a simpler way index=mday source="service_status.ps1" sourcetype=service_status os_service="App_Service" host=*papp01
|stats ...
See more...
There are multiple methods to achieve this. However, lets first try it in a simpler way index=mday source="service_status.ps1" sourcetype=service_status os_service="App_Service" host=*papp01
|stats latest(status) AS status by host
|eventstats values(status) as _status
|eval OverallStatus=if(mvcount(_status) < 2 OR isnull(mvfind(_status,"Running")),"Down","Good") Steps - count the status values - If the count is less than 2 : meaning only one of the status from Running/Stopped is present - OR Running status is not available, we are setting the overall status as down. In this way, we can handle multiple situations where one of the server is down or both are reporting down or even both are reporting Running (active & passive) Demonstrated with a dummy search |makeresults|eval host="HostA",status="Running"
|append[|makeresults|eval host="HostB",status="Stopped"]
|stats latest(status) as status by host
|eventstats values(status) as _status
|eval OverallStatus=if(mvcount(_status) < 2 OR isnull(mvfind(_status,"Running")),"Down","Good") Try changing the status of HostA or HostB and see the results.