Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to compare and save the values between some columns

ruchijain
New Member
‎06-27-2019 04:00 AM

Hi all,
I have below input:

alt text

Now I want to do below comparision:

(Row1 = started AND row2=started ) OR (row3="started" AND Row4="started")

The result is good otherwise result is bad.

I don't know how to do that comparison and save the value, can anyone please help?

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎06-27-2019 05:55 AM

@ruchijain,

You have almost the solution in your question itself. Probably you haven't specified the fields correctly

| eval result=if(('row 1' = "started" AND 'row 2'="started" ) OR ('row 3'="started" AND 'row 4'="started"),"good","bad")
---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎06-27-2019 05:55 AM

@ruchijain,

You have almost the solution in your question itself. Probably you haven't specified the fields correctly

| eval result=if(('row 1' = "started" AND 'row 2'="started" ) OR ('row 3'="started" AND 'row 4'="started"),"good","bad")
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

ruchijain
New Member
‎06-27-2019 07:11 AM

Hi Renjith,

Please find the image attahced:

But if i will look for bad it will alert for the first row but i think i got the option like if number of result if greater than 1 then it will alert.

Can i use this query?

eventtype=cxp_editorial_mob | chart latest(status) as status by raxhost | transpose | eval result=if(('row 1'!= "started" AND 'row 2'!="started" ) OR ('row 3'="started" AND 'row 4'="started"),"good","bad")

alt text

Preview file
1 KB
0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎06-27-2019 10:05 AM 
    eventtype=cxp_editorial_mob | chart latest(status) as status by raxhost | transpose | eval result=if(('row 1'!= "started" AND 'row 2'!="started" ) OR ('row 3'="started" AND 'row 4'="started"),"good","bad")
    |where result=="bad"

and then trigger alert if Number of Results is greater than 0.

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

ruchijain
New Member
‎06-27-2019 06:25 AM

Thanks renjith for the answer.

Just need one more i got below output:

alt text

I want to juts check for the row status if it is good or bad...

Means i want to get alert if the status row is bad... how to do that

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎06-27-2019 06:44 AM

@ruchijain,
the image is not available. You could add |where result=="bad" to your search and trigger alert if Number of Results is greater than 0

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...