Splunk Search

How to pick the status what i wish to

pench2k19
Explorer

I have table with 3 field values as follows

SOR Datafeed Status
1art xxx Met SLA
1art yyy Missed SLA
1art zzz Met SLA

Now i would like to consider status of SOR as Missed SLA if it has one single status as Missed SLA , and alo there is come cases where i dont see Missed SLA status in that case it has be calculated as Met SLA.

Can you please help me guys

Tags (1)
0 Karma

nickhills
Ultra Champion

Hi @pench2k19

cases where i dont see Missed SLA status in that case it has be calculated as Met SLA

You can do this with a eval Status=if(blah) but coalesce() is a good fit here

your search|eval Status=coalesce(Status,"Met SLA")

The first part of your question I'm not 100% sure what you mean...

Do you mean: "if any value of SOR, has a status of Missed SLA, then display it in the table"?
in which case something like this should work:

your search|eval Status=coalesce(Status,"Met SLA")|where Status="Missed SLA"

It might help if you can share some of your search, or rephrase the question.

If my comment helps, please give it a thumbs up!
0 Karma

pench2k19
Explorer

@nickhillscpl thanks for the comment.

I have few data feeds that share common SOR name. For example if any ONE data feed have status as Missed SLA , I want to calculate that whold SOR that data feeds belongs to as Missed SLA.

If all of the datafeeds have Met SLA , i want to calculate that SOR as Met SLA.

0 Karma

nickhills
Ultra Champion

Ok, so there are a few ways I can think of, but building on my previous answer..

If you sorted 'Status' in z-a order, you could then dedup each SOR. This would give you one row for each SOR, and would show the "Missed SLA" value if one existed. If no SLA's were missed, you would get a table of "Met SLA"

<your search>
|eval Status=coalesce(Status,"Met SLA")
|sort - Status
|dedup SOR
|table SOR Status
If my comment helps, please give it a thumbs up!
0 Karma

pench2k19
Explorer

@nickhills i can not apply dedup SOR as it nullifying all other results for other dates as well, following is there what i have developed so far, but its not working as expected.

|inputlookup MBDA_SLA_stats.csv
| dedup SOR feed timestamp
| eval status=if(timestamp_epoch>Expected_time_epoch,"Missed SLA","Met SLA")
| chart last(status) by Business_Date SOR useother=f limit=50 | fillnull value="Not Run"
|sort - Business_Date
|rename Business_Date as "Business Date"

0 Karma

nickhills
Ultra Champion

Try this:

|inputlookup MBDA_SLA_stats.csv
| dedup SOR feed timestamp
| eval status=if(timestamp_epoch>Expected_time_epoch,"Missed SLA","Met SLA")
|eval status=coalesce(status,"Met SLA")
|sort - status
|dedup SOR
| chart last(status) by Business_Date SOR useother=f limit=50 | fillnull value="Not Run"
|sort - Business_Date
|rename Business_Date as "Business Date"

I'd be tempted to remove the double dedup, but since this is coming from a lookup the performance impact is likely negligible.

If my comment helps, please give it a thumbs up!
0 Karma

pench2k19
Explorer

its not working as expected.

0 Karma

nickhills
Ultra Champion

in what way?

If my comment helps, please give it a thumbs up!
0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@pench2k19

Can you please share your sample search, data and expected output from that data?

0 Karma

pench2k19
Explorer

@kamlesh_vaghela here is the query i am using, But this is not working as expected

|inputlookup MBDA_SLA_stats.csv
| dedup SOR feed timestamp
| eval status=if(timestamp_epoch>Expected_time_epoch,"Missed SLA","Met SLA")
| chart last(status) by Business_Date SOR useother=f limit=50 | fillnull value="Not Run"
|sort - Business_Date
|rename Business_Date as "Business Date"

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...