Splunk Search

Looping if condition in for loop and display different tables

k_harini
Communicator

I have a table with 10 records. 2 rows for each host - say AUX0001 to AUX0005. For each host, 2 processes occur: the status and time range. AUX0001 disp.exe abcded green running , AUX0001 wxze.exe red running. In this way it is present for all the hosts..
My requirement - if both processes are green, host should display only once for disp.exe. if both are red, then both processes should be displayed. If one is green and one is red , it should be red with that process name be it disp.exe or wxze.exe. This looks simple. but unable to achieve this.

I tried several ways - Should i have to loop for each host? I'm not getting the desired result.

index="xxx" sourcetype="yy" |fields name description dispstatus textstatus starttime elapsedtime pid source|eval host_source = mvindex(split(source,"\\"),5)|eventstats count(eval(dispstatus="Green")) as green_count  count(eval(dispstatus="Red")) as red_count by host_source|eval desc_test = case(green_count ==2 OR red_count ==2,"Dispatcher", red_count ==1 AND description="watchdog" ,"watch", red_count ==1 AND description=" Dispatcher " ," Dispatcher ")|table host_source description dispstatus desc_test|where description=desc_test 

Can someone please help me here? Thanks a lot

0 Karma
1 Solution

DalJeanis
SplunkTrust
SplunkTrust
STATUS           DISPLAY     
DISP   WATCH     DISP   WATCH   
GREEN  GREEN     GREEN 
GREEN  RED              RED
RED    GREEN     RED   
RED    RED       RED    RED

okay, if either process is red, then that process should display. On the other hand, if both processes are green, then DISP should show green.

Try this for test code -

index="xxx" sourcetype="yy" 
| fields name description dispstatus textstatus starttime elapsedtime pid source
| eval host_source = mvindex(split(source,"\\"),5)
| eventstats count(eval(dispstatus="Green")) as green_count by host_source
| eval desc_test = If( (dispstatus="Red") OR (green_count==2 AND description=" Dispatcher "),"Pass","Block")
| table host_source description dispstatus desc_test
| sort 0 host_source description

If those results seem right, then use this for the actual code

index="xxx" sourcetype="yy" 
| fields name description dispstatus textstatus starttime elapsedtime pid source
| eval host_source = mvindex(split(source,"\\"),5)
| eventstats count(eval(dispstatus="Green")) as green_count by host_source
| search (dispstatus="Red") OR (green_count==2 AND description=" Dispatcher ")
| table host_source description dispstatus
| sort 0 host_source description

View solution in original post

0 Karma

DalJeanis
SplunkTrust
SplunkTrust
STATUS           DISPLAY     
DISP   WATCH     DISP   WATCH   
GREEN  GREEN     GREEN 
GREEN  RED              RED
RED    GREEN     RED   
RED    RED       RED    RED

okay, if either process is red, then that process should display. On the other hand, if both processes are green, then DISP should show green.

Try this for test code -

index="xxx" sourcetype="yy" 
| fields name description dispstatus textstatus starttime elapsedtime pid source
| eval host_source = mvindex(split(source,"\\"),5)
| eventstats count(eval(dispstatus="Green")) as green_count by host_source
| eval desc_test = If( (dispstatus="Red") OR (green_count==2 AND description=" Dispatcher "),"Pass","Block")
| table host_source description dispstatus desc_test
| sort 0 host_source description

If those results seem right, then use this for the actual code

index="xxx" sourcetype="yy" 
| fields name description dispstatus textstatus starttime elapsedtime pid source
| eval host_source = mvindex(split(source,"\\"),5)
| eventstats count(eval(dispstatus="Green")) as green_count by host_source
| search (dispstatus="Red") OR (green_count==2 AND description=" Dispatcher ")
| table host_source description dispstatus
| sort 0 host_source description
0 Karma

k_harini
Communicator

Thanks so much for your response.. I tried this.. it worked.. instead of green_count = 2 , I gave dispstatus = green, 1 green process also got displayed along with red ones.. Thanks a lot.. I got confused..

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

You're welcome.

The little results chart I made helped me simplify the question. There was only one condition that ever showed green (green==2), so from there it was easy.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...