Splunk Search

From a list of column values can we print one final, single message?

prashanthberam
Explorer

Hi All,
I want to compare result column Names which is displaying 3 kind of messages.
Normal, Elevated, Critical.
Example :

   Column A          Column B
   1                 Normal
   2                 Normal
   3                 Critical

etc

   Result :
  Critical  (I need only one message)

I want check the messages in Column B. Since Critical is one of the results in Column B then the result should be Critical. If there are no Critical results and they are all Normal then the output should be Normal. Same, any single Elevated result is Elevated.
Can we do that ?
Thanks,

0 Karma
1 Solution

pradeepkumarg
Influencer

Append something like this to your search. Might not be an elegant solution, but should work.

|dedup status | table status | eval Rank = if(status="Critical",3,if(status="Elevated",2,1)) | sort -Rank | table status | head 1

I just assigned a rank based on your order and just retaining the one with highest rank.

View solution in original post

0 Karma

pradeepkumarg
Influencer

Append something like this to your search. Might not be an elegant solution, but should work.

|dedup status | table status | eval Rank = if(status="Critical",3,if(status="Elevated",2,1)) | sort -Rank | table status | head 1

I just assigned a rank based on your order and just retaining the one with highest rank.

0 Karma

niketn
Legend

@prashanthberam, please add more details of what is your current data (raw events) and query along with current results, as the description is not sufficient.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

prashanthberam
Explorer

here is my query.
i need to check whether am getting the data from hosts or not in span 24 hours ,for that i have written search. am printing status of the host and source type whether am getting or not, If am getting the data from the host it is normal else Elevated else Critical, these messages am printing one column that is status. By using the status column messages i want to print one result overall.
index sourcetype time volume status
xx xxxx xx xxxx Normal
xxx xxxxx xx xxxx Normal
xxx xxx xx xxx Critical

Thanks In advance.

0 Karma

niketn
Legend

Try the following OveallStatus should give you what you are looking for:

| stats values(status) as status
| eval OverallStatus=case(status=="Critical","Critical",status=="Elevated","Elevated",status=="Normal","Normal")

Ideally you should be able to tweak your existing query to directly get the Overall Status.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

pradeepkumarg
Influencer

If you have both rows with Elevated and Critical, then what do you want to display in your result?

0 Karma

prashanthberam
Explorer

case 1 : Critical, normal, Elevated .... result : Critical
Case 2 : Normal, Normal, Elevated.... result : Elevated
case 3 : Normal, Normal, Normal.... result : Normal
case 4 : Elevated, Elevated, Elevated... result: Elevated

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...