Splunk Search

How to write a search for mapping fields based on dependency

harshal_chakran
Builder

Hi,
I have a sample dataset as follows:

PROCCESS_NAME STATUS
p1 PASS
p2 PASS
p3 PASS
p4 PASS
p5 PASS
p6 PASS

Their dependency relationship is as follows
p1-->depends on -->p2 -->depends on-->p4 -->depends on -->p6
p1-->depends on --> p3-->depends on-->p5

How can I represent the same in table/chart in a dynamic way. Also if any PROCCESS_NAME fails, its upper hierarchy show also set as FAIL.

Means if p6 fails, then p6,p4,p2 and p1 should also be set as FAIL.

Currently I am able to show either predecessor or successor . i.e p2-p1 OR p2-p3 based on the lookup created:

Predecessor Successor
p1 p2
p1 p3
p2 p4
p4 p6
p3 p5

0 Karma
1 Solution

DalJeanis
SplunkTrust
SplunkTrust

There are two solutions on the thread at this link, one of which is extensively documented and general in its application.

https://answers.splunk.com/answers/170487/recursively-join-the-same-table.html

Be sure to upvote rmasuoka's post on that thread if it helps you with your problem. Looks like he did a lot of work to create, document and explain a generally applicable solution.

View solution in original post

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

There are two solutions on the thread at this link, one of which is extensively documented and general in its application.

https://answers.splunk.com/answers/170487/recursively-join-the-same-table.html

Be sure to upvote rmasuoka's post on that thread if it helps you with your problem. Looks like he did a lot of work to create, document and explain a generally applicable solution.

0 Karma

harshal_chakran
Builder

Hi, thanks for sharing the link - this will help me.
Yes, rmasuoka definitely deserves an up vote.

0 Karma

harshal_chakran
Builder

if any lower hierarchy process fails, its upper one should be forced to set as FAIL, even if in individual run the upper one was PASS.

Means if p6 fails and p5 not, then p6 predecessor p4 should be set as FAIL, which in turn set p2 as FAIL and finally P1 as FAIL.
while p5 and p3 continues to be in PASS status.

0 Karma

gokadroid
Motivator

What happens when P6 fails but p5 passes?
And when p6 fails and p2 passes?

Also how are these processes distinguished in each run say, if the data needs a correlation between multi runs, like below, how can once distinguish between p1 of run 1 from p1 of run2,3 or 4:

run 1  - p1 pass;  p2 pass; p4 pass; p6 pass
run 2  - p1 pass;  p3 pass; p5 fails
run 3  - p1 pass;  p2 fails; p4 pass; p6 pass
run 4  - p1 pass;  p3 pass; p5 pass
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...