topic Re: lookup with if statement through eval. in Splunk Enterprise

lookup with if statement through eval.

rahul_mckc_splu — Tue, 20 Jul 2021 17:12:40 GMT

Here is my search

index=abc Status=FAILED | eval exception =if(bucket_name=s3-abc, "yes","no") | stats count by bucket_name exception

now if my bucket name is s3-abc, it would print bucket_name=s3-abc and exception=yes, rest all buckets will fall under exception=no.

Now i need to do this task through a lookup, i have a lookup which is buckets.csv and fields is there bucket_name, so I need to see that lookup if the bucket is there then it should print exception=yes rest it should print exception=no. i am doing like this but not getting anything

Re: lookup with if statement through eval.

ITWhisperer — Tue, 20 Jul 2021 17:22:17 GMT

If you csv has bucket_name and exception (always set to "yes") you could try this

index=abc Status=FAILED | lookup bucket.csv | fillnull value="no" exception | stats count by bucket_name exception

Re: lookup with if statement through eval.

rahul_mckc_splu — Tue, 20 Jul 2021 18:06:39 GMT

no, it does not seems to be the solution. if you can read what I want.

i need to match my lookup then print "yes" or "no" depends upon if that field value exist.

Re: lookup with if statement through eval.

ITWhisperer — Tue, 20 Jul 2021 19:40:42 GMT

You said you need to find out if bucket name exists in your bucket.csv - this is what lookup does, however, you need a field to look up from the csv, so why not make it exception so the lookup will return exception as yes if it exists in the csv. If this isn't returned, exception will be null, so fillnull can set the nulls to no. Doesn't this get you to the position you wanted i.e. all buckets in the csv will have exception set to yes and all those not in the csv will have exception set to no. If this is not what you are after, please explain your request more clearly.

Re: lookup with if statement through eval.

rahul_mckc_splu — Tue, 20 Jul 2021 20:04:12 GMT

Here is my search

index=abc Status=FAILED | eval exception =if(bucket_name=s3-abc, "yes","no") | stats count by bucket_name exception

now if my bucket name is s3-abc, it would print bucket_name=s3-abc and exception=yes, rest all buckets will fall under exception=no.

Now i have lookup like this

bucket_name

s3-abc

s3-bcd

s3-bcw

so I need to see that lookup, if the bucket is there then it should print exception=yes rest it should print exception=no. i am doing like this but not getting anything

iindex=abc Status=FAILED | lookup bucket.csv bucket_name| fillnull value="no" exception | stats count by bucket_name exception

then it is not matching and also printing the "yes" it should print if raw logs has any of the buckets in buckets.csv

Re: lookup with if statement through eval.

rahul_mckc_splu — Tue, 20 Jul 2021 20:06:20 GMT

then it is not matching and also not printing the "yes" , it should print "yes" if raw logs has any of the buckets in buckets.csv it is only printing "no"

Re: lookup with if statement through eval.

ITWhisperer — Tue, 20 Jul 2021 20:10:15 GMT

Can you change your lookup so it is like this?

bucket_name	exception
s3-abc	yes
s3-bcd	yes
s3-bcw	yes

Re: lookup with if statement through eval.

rahul_mckc_splu — Tue, 20 Jul 2021 20:13:04 GMT

My lookup does not have any exception field, and it would not have it. The reason of printing yes and no is to have match field name in lookup.

Re: lookup with if statement through eval.

rahul_mckc_splu — Tue, 20 Jul 2021 20:15:33 GMT

i have 10000 records in raw logs, and i can't maintain all field names in lookup, so i have almost 20-25 exceptions which i am handling in a lookup, and trying to match those in raw logs to have exception printed as "yes" or "no".

Re: lookup with if statement through eval.

ITWhisperer — Tue, 20 Jul 2021 20:26:55 GMT

Try this:

Re: lookup with if statement through eval.

rahul_mckc_splu — Tue, 20 Jul 2021 20:29:45 GMT

worked..thanks alot