Hi All,
I want to compare result column Names which is displaying 3 kind of messages.
Normal, Elevated, Critical.
Example :
Column A Column B
1 Normal
2 Normal
3 Critical
etc
Result :
Critical (I need only one message)
I want check the messages in Column B. Since Critical is one of the results in Column B then the result should be Critical. If there are no Critical results and they are all Normal then the output should be Normal. Same, any single Elevated result is Elevated.
Can we do that ?
Thanks,
Append something like this to your search. Might not be an elegant solution, but should work.
|dedup status | table status | eval Rank = if(status="Critical",3,if(status="Elevated",2,1)) | sort -Rank | table status | head 1
I just assigned a rank based on your order and just retaining the one with highest rank.
Append something like this to your search. Might not be an elegant solution, but should work.
|dedup status | table status | eval Rank = if(status="Critical",3,if(status="Elevated",2,1)) | sort -Rank | table status | head 1
I just assigned a rank based on your order and just retaining the one with highest rank.
@prashanthberam, please add more details of what is your current data (raw events) and query along with current results, as the description is not sufficient.
here is my query.
i need to check whether am getting the data from hosts or not in span 24 hours ,for that i have written search. am printing status of the host and source type whether am getting or not, If am getting the data from the host it is normal else Elevated else Critical, these messages am printing one column that is status. By using the status column messages i want to print one result overall.
index sourcetype time volume status
xx xxxx xx xxxx Normal
xxx xxxxx xx xxxx Normal
xxx xxx xx xxx Critical
Thanks In advance.
Try the following OveallStatus should give you what you are looking for:
| stats values(status) as status
| eval OverallStatus=case(status=="Critical","Critical",status=="Elevated","Elevated",status=="Normal","Normal")
Ideally you should be able to tweak your existing query to directly get the Overall Status.
If you have both rows with Elevated and Critical, then what do you want to display in your result?
case 1 : Critical, normal, Elevated .... result : Critical
Case 2 : Normal, Normal, Elevated.... result : Elevated
case 3 : Normal, Normal, Normal.... result : Normal
case 4 : Elevated, Elevated, Elevated... result: Elevated