Solved: How to set a "NOK" Status, when no data entry was ...

krispost · ‎12-18-2017

I have a little Problem and hopefully somebody who knows the solution for it.

The eval whatchdog=if(Count..... Looks if the entry comes before 8am, but unfortunately this query don't shows me if there isn't an entry coming! I want to have also a "NOK" status, even when there is no entry in the lookup table. How i can solve this Problem? Thanks for your effort.

mayurr98 · ‎12-18-2017

hey @krispost

Try this:

index=XXX 
| eval watchdog_time=_time 
| stats count by watchdog_time,date_hour 
| convert timeformat="%Y-%m-%d %H:%M" ctime(watchdog_time) 
| eval watchdog=if(count=1 AND date_hour<8,"OK","NOK") 
| eval Date=now() 
| convert timeformat="%Y-%m-%d %H:%M" ctime(Date) 
| table Date, watchdog, watchdog_time 
| outputlookup slaamlt.csv append=true

Let me know if this helps!

View solution in original post

krispost · ‎12-18-2017

sry guys, have another solution that works:

|eval watchdog_time=_time
| stats count by watchdog_time,date_hour
| convert timeformat="%Y-%m-%d %H:%M" ctime(watchdog_time)
| eval watchdog_value=if(date_hour<"8","OK","NOK")

| eval watchdog=if(isnull(watchdog_time),"NOK1",watchdog_value)

| eval Date=now() | convert timeformat="%Y-%m-%d %H:%M" ctime(Date) | table Date, watchdog, watchdog_time
| outputlookup slaamlt.csv append=true

niketn · ‎12-18-2017

@krispost, I dont think you have defined your criteria for OK and NOK. In your question seemed like count=1 was also required condition which is missing in your current query.
Also date_hour<"8" performs string comparison which will treat values greater than 10 smaller than 8. So the suggestions above were to compare with numeric 8 rather than string "8".

Also while query may eventually work by adding a lot of pipes, you should consider performance of your query as well. Check my query above compared to your current solution for performance in Job Inspector.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

mayurr98 · ‎12-18-2017

hey @krispost

Try this:

index=XXX 
| eval watchdog_time=_time 
| stats count by watchdog_time,date_hour 
| convert timeformat="%Y-%m-%d %H:%M" ctime(watchdog_time) 
| eval watchdog=if(count=1 AND date_hour<8,"OK","NOK") 
| eval Date=now() 
| convert timeformat="%Y-%m-%d %H:%M" ctime(Date) 
| table Date, watchdog, watchdog_time 
| outputlookup slaamlt.csv append=true

Let me know if this helps!

niketn · ‎12-18-2017

I would try something like the following:

index=XXX
| stats count by _time, date_hour
| eval watchdog_time=strftime(_time,"%Y-%m-%d %H:%M") 
| eval watchdog=if(count=1 AND date_hour<8,"OK","NOK") 
| eval Date=strftime(now(), "%Y-%m-%d %H:%M")
| table Date, watchdog, watchdog_time
| outputlookup slaamlt.csv append=true

Stats should be performed first on _time and then _time should be converted to watchdog_time as per use case.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

How to set a "NOK" Status, when no data entry was delivered

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!