Conditional Eval based on value in the field

abhisheks2412 — Tue, 29 Sep 2020 20:18:33 GMT

I am trying to use transaction command to correlate two event types. I need to correlate events based on value in "id" part of the following searches.
Search 1:- event=A somefield=job_type-id
For Eg:- event=end somefield=job1-AAAAAAAAA
Search 2:- event=B job_type=id
For Eg:- event=start job1=AAAAAAAAA
Can contain multiple job_types in single event

Search 1 can contain 4 different types of "job_type", like, job1, job2, job3 and job4. Search 1 will only contain one "job_type" for any given event. Value of "id" is not extracted in any field.
Search 2 contains the above 4 types of jobs with corresponding "id". But, few Search 2 events can have multiple job_types. For Eg:- event=start job1=AAAAAAAAA job2=BBBBBBBB

I am using following transaction search,

(Search 1) OR (Search 2)
| rex somefield=(?>type>\w+\d)-(?>id>.*)
| eval newfield=if(len(id)>0,id,if(len(job1)>0,job1,if(len(job2)>0,job2,if(len(job3)>0,job3,if(job4)>0,job4,""))))
| transaction newfield keepevicted=true maxspan=1m
| where eventcount < 2
| table _raw type id

Above search works fine, but when Search 1 contains job3 as job_type and Search 2 contains job1 and job3. It does not correlates events. This is expected as in "eval" condition job1 is given preference.

I wanted to know if there is a way to reorder the "eval" condition based on job_type in Search 1, something like below (it does not works),

| eval a = if(len(id)>0,id,if(len(job1)>0,job1,if(len(job2)>0,job2,if(len(job3)>0,job3,if(job4)>0,job4,""))))
| eval b = if(len(id)>0,id,if(len(job2)>0,job2,if(len(job1)>0,job1,if(len(job3)>0,job3,if(job4)>0,job4,""))))
| eval c = if(len(id)>0,id,if(len(job3)>0,job3,if(len(job2)>0,job2,if(len(job1)>0,job1,if(job4)>0,job4,""))))
| eval d = if(len(id)>0,id,if(len(job4)>0,job4,if(len(job2)>0,job2,if(len(job3)>0,job3,if(job1)>0,job1,""))))
| eval newfield=case(
type=job1, a,
type=job2, b,
type=job3, c,

type=job4, d,
1 == 1, "NULL"
)

Re: Conditional Eval based on value in the field

ddrillic — Tue, 10 Jul 2018 00:04:31 GMT

The case command can help here.

Something in the spirit of eval a = case (len(id) > 0,id, len(job1) > 0, job1, .......

Re: Conditional Eval based on value in the field

abhisheks2412 — Tue, 10 Jul 2018 22:54:59 GMT

I tried with case as well, but does not help.

Re: Conditional Eval based on value in the field

Richfez — Wed, 11 Jul 2018 13:43:01 GMT

So, if I'm reading this correctly...

In event 2, which job do you want to match on?

Could you provide samples of the four possible styles of events for each of search 1 and search 2? Obviously, redact information that shouldn't get out, but also keep in mind we're data people - we can read data and also sometimes if you obfuscate too well we "lose sight of what it is you are doing". Also, most information isn't as secret as people think. 🙂

topic Re: Conditional Eval based on value in the field in Splunk Search

Conditional Eval based on value in the field

Re: Conditional Eval based on value in the field

Re: Conditional Eval based on value in the field

Re: Conditional Eval based on value in the field