topic Re: Implementing condition in search in Splunk Search

Implementing condition in search

zacksoft — Tue, 29 Sep 2020 17:16:56 GMT

This is the algorithm of my query. Could someone help me in constructing it.

If (A happens)
{
Then ( Execute B Query)
{
}

"Here A is a query like Host=A OR B, error_happened"
"B is a query like Host=A OR B, usage
Show in stats/chart, if 'apple' and 'error' found'
if 'orange' and 'error' found
if 'grape' and 'error 'found'"
Apple/Orange/Grape/Error/Error_happened are not Splunk fields they are just some string/keyword in events.
And B query should only execute if A query return any events/lines. If A query returns no events/lines then B shouldn't execute.

Re: Implementing condition in search

mayurr98 — Wed, 13 Dec 2017 09:16:46 GMT

you have to use eval(if) in conjunction with like() on _raw data

Refer this link, you will get an idea.
http://docs.splunk.com/Documentation/Splunk/7.0.1/SearchReference/ConditionalFunctions#like.28TEXT.2C_PATTERN.29

let me know if it helps!

Re: Implementing condition in search

zacksoft — Wed, 13 Dec 2017 09:36:41 GMT

Could you give me a psuedo-query using eval(if) and like/_raw ; A skeleton model query to have an idea how it should be .

Re: Implementing condition in search

zacksoft — Wed, 13 Dec 2017 09:52:00 GMT

eval (Host=A OR B, usage
Show in stats/chart, if 'apple' and 'error' found'
if 'orange' and 'error' found
if 'grape' and 'error 'found'"
| stats count by usage) IF (Host=A OR B, "error_happened")

i.e. eval B IF (A happens).

Is this how it should be composed ?

Re: Implementing condition in search

mayurr98 — Wed, 13 Dec 2017 09:56:58 GMT

I am not getting what do you want.
Can you please provide some sample input data and also tell us what output do you want?

Re: Implementing condition in search

zacksoft — Wed, 13 Dec 2017 10:14:47 GMT

Let me put it in another way,

If (Host = "fruitbasket" "rotten")
Then search ("apple" AND "bad") and ("orange" AND "bad")
and show it in some stats.

What I mean here is, if the initial search (Host = "fruitbasket" "rotten") returns any result then I want to search for events containing keywords ("apple" AND "bad") and ("orange" AND "bad")..etc.

Hope I am clear enough.

Re: Implementing condition in search

jplumsdaine22 — Wed, 13 Dec 2017 10:30:28 GMT

You could use a subsearch, and return null if your condition is unmet. Like this:

[search host=fruitbasket rotten  
| stats count 
| eval search=if(count>0,"bad AND (orange OR apple)",null) 
| fields search 
| format "" "" "" "" "" "" ]

Re: Implementing condition in search

zacksoft — Wed, 13 Dec 2017 10:45:26 GMT

Thanks , I was looking something exactly like this.. a subsearch kind of thing..

In #4 you have said "fieds search". What does this line do ?
And what about #5 | format "" "" <-- does it mean to format the output ?

Would this give the count (timechart) type stating how many events we had with( apple AND bad) & (Orange AND bad) ?

Re: Implementing condition in search

jplumsdaine22 — Wed, 13 Dec 2017 11:15:29 GMT

So this subsearch will return a value based on whether or not it discovers events that match host=fruitbasket rotten . If there are events it will return bad AND (orange OR apple). If there are no events it will return NOT OR ()

NOT OR () evaluates to null, so the outer search will return zero events. If you want a timechart as well, then throw a timechart command after the search like so

[search host=fruitbasket rotten  
| stats count 
| eval search=if(count>0,"bad AND (orange OR apple)",null) 
| fields search 
| format "" "" "" "" "" "" ]
| timechart count

For more information on wha the fields search and format mean have a look at the subsearch documentation http://docs.splunk.com/Documentation/Splunk/latest/Search/Aboutsubsearches

Re: Implementing condition in search

jplumsdaine22 — Wed, 13 Dec 2017 12:35:27 GMT

Also if this answers your question don't forget to mark the answer as accepted!

Cheers

Re: Implementing condition in search

zacksoft — Wed, 13 Dec 2017 12:40:24 GMT

The query runs without any error however It doesn't return any events. seems like it isn't finding the keywords error/orange/apple to search. I put double quote around it , but the expression gets malformed. This is to be noted that error/orange/apple are not splunk fields , but just some words found in events..

Re: Implementing condition in search

jplumsdaine22 — Wed, 13 Dec 2017 13:07:44 GMT

Which query returns no events? host=fruitbasket rotten or bad AND (orange OR apple)

Re: Implementing condition in search

zacksoft — Wed, 13 Dec 2017 13:23:54 GMT

bad AND (orange OR apple)

Re: Implementing condition in search

jplumsdaine22 — Wed, 13 Dec 2017 14:00:29 GMT

I'm a bit confused - If you do a query for bad AND (orange OR apple) on its own (without all the subsearch bit) do you get any results? If you get none then the problem is that you have no data, not that the search is being malformed.

If you think the eval is failing, try this on its own:

|makeresults
| eval search="bad AND (orange OR apple)"
| fields search 
| format "" "" "" "" "" ""

That's what will get sent to the main search if your condition is true

Re: Implementing condition in search

zacksoft — Tue, 29 Sep 2020 17:16:18 GMT

When I run the queried individually (with out nesting in subserach it gives results.
But when i run them together like above I get the error "Error in 'eval' command: The expression is malformed. Expected )."

Just so as you know, rotten;error;apple;orange etc..are words found in logs, they are not Splunk fields.