Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to write a search to return "PASS" if all search results for a field are PASS or PARTIAL_PASS, but return "FAIL" if at least one result is FAIL?

milande
Path Finder
‎03-17-2015 09:39 AM

Hi,

I have data in Splunk DB which could be presented with this simplified table (real table has about 100 lines):

Test_Name......Test_Result
test_1................PASS
test_2................FAIL
test_3................PARTIAL_PASS

I need help in creating search string in Splunk which would give me the final result (in statistic tab) with the following logic:
Final result: PASS if all Test_Result(s) were PASS or PARTIAL_PASS
Final result: FAIL if at least one Test_Result were FAIL

how search string should look like ?

cheers,
Milan

Tags (4)
Reply
1 Solution
Solved! Jump to solution
Solution

ramdaspr
Contributor
‎03-17-2015 05:06 PM 
... | stats count(eval(Test_Result="Fail")) as failed, count(eval(Test_Result!="Fail")) as notfailed | eval Final_Result=if(failed>0,"Fail",if(notfailed>0,"Passed","NA")) | table Final_Result

This will give a single row with fail if it finds even a single record of fail and calls them pass otherwise i.e. any not marked Fail are considered passed.

View solution in original post

Reply
Solved! Jump to solution
Solution

ramdaspr
Contributor
‎03-17-2015 05:06 PM 
... | stats count(eval(Test_Result="Fail")) as failed, count(eval(Test_Result!="Fail")) as notfailed | eval Final_Result=if(failed>0,"Fail",if(notfailed>0,"Passed","NA")) | table Final_Result

This will give a single row with fail if it finds even a single record of fail and calls them pass otherwise i.e. any not marked Fail are considered passed.

Reply
Solved! Jump to solution

dwaddle
SplunkTrust
SplunkTrust
‎03-17-2015 10:09 AM

Let's approach it mathematically...

| eval numerical_result = case ( Test_Result = "PASS", 1 , Test_Result="PARTIAL_PASS", 2 , Test_Result="FAIL" , 3 , 1=1, 0 )
| stats max(numerical_result) as numerical_result
| eval result = case ( numerial_result = 1, "PASS", numerical_result =2, "PARTIAL_PASS", numerical_result = 3 , "FAIL" ,  1=1, "UNKNOWN" )

So we make up a numerical equivalent to your PASS / PARTIAL_PASS / FAIL concepts and use max() to hit your criteria. Then we have to re-convert from numerics back to a textual representation.

Maybe someone else has a better approach?

Reply
Solved! Jump to solution

milande
Path Finder
‎03-18-2015 02:35 AM

@ dwaddle
you approach seems also OK but for a sake of "shortness" I choose answer from "ramdaspr".
Thanks dwaddle anyway!

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...