I am trying to build a search where I can return a status_code based on the conditions of two fields:
<search>
|eval severity_level=case(severity==0, "indeterminate", severity==1, "Critical", severity==2, "Major", severity==3, "Minor", severity==4, "Warning", severity==5, "Cleared")
|stats count as Total
|eval status_code = case(Total>=1 AND severity_level==Critical, "105", Total>=1 AND severity_level==Major, "104", Total>=1 AND severity_level==Minor, "103", Total==0, "100")
|table status_code
This seems to work if the Total of the search was 0, upon which the status_code will be returned as 100.
The other status codes will not work even if the conditions are met.
This works:
<search>
|stats count as Total
|eval status_code=case(Total==0, "100",Total==1, "105")
|table status_code
What am I missing?
... View more