Hi @Harikiranjammul Use an eval statement with a conditional to build the description field based on the value of status. |makeresults | eval Server="host1", Status="host is down", Threshold="unab...
See more...
Hi @Harikiranjammul Use an eval statement with a conditional to build the description field based on the value of status. |makeresults | eval Server="host1", Status="host is down", Threshold="unable to ping" | append [| makeresults | eval Db="db1", Status="database is down", Instance_status="DB instance is not available"] | eval date=strftime(_time, "%d/%m/%Y %H:%M:%S") | eval description=case( Status=="database is down", "date=" . date . " Db=" . Db . " Status=" . Status . " Instance_status=" . Instance_status, Status=="host is down", "date=" . date . " Server=" . Server . " Status=" . Status . " Threshold=" . Threshold ) This SPL checks the Status field and constructs the description field by concatenating the relevant fields for each case. Ensure your field names match exactly (case-sensitive) and are extracted correctly before using this logic. Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing