Hi,
We have a requirement to write a search:
We have a status(up,down,disabled,enabled),
1.If status is up or enabled, we have given value range of 10 and is OK(Green)
2.If status is down or disabled, we have given a range of 0 and is severe (RED).
Below is our basic search, but it currently only works if status is Up or down. Can someone help in enhancing this search such that we can update for 4 statuses? When Up OR ENABLED, it should be value 10...If Down OR DISABLED, it should be 0 (SEVERE).
index=f5 server1 monitor status | fillnull value="up" F5_TCPStatus | eval status=if(F5_MonitorStatus="up",10,0)|head 1 |appendpipe [ stats count | eval status=10 | where count==0 | fields - count ] | stats values(status) AS severity | rangemap field=severity severe=0-9 low=10-11 default=elevated
Try like this
index=f5 server1 monitor status | head 1| fillnull value="up" F5_TCPStatus | eval status=if(F5_MonitorStatus="up" OR F5_MonitorStatus="enabled",10,0) |appendpipe [ stats count | eval status=10 | where count==0 | fields - count ] | stats values(status) AS severity | rangemap field=severity severe=0-9 low=10-11 default=elevated
Try like this
index=f5 server1 monitor status | head 1| fillnull value="up" F5_TCPStatus | eval status=if(F5_MonitorStatus="up" OR F5_MonitorStatus="enabled",10,0) |appendpipe [ stats count | eval status=10 | where count==0 | fields - count ] | stats values(status) AS severity | rangemap field=severity severe=0-9 low=10-11 default=elevated
Thanks....