topic Re: New field with conditional value in Splunk Search

New field with conditional value

owulz — Fri, 12 Feb 2021 06:48:19 GMT

I have a dashboard panel with a table that show 3 fields, each of which contain numeric values.

A) "Backups started (count)"

B) "Backups completed successfully (count)"

C) "Backups failed (count)"

I want to create a 4th field (D) "Backups in-progress" that simply calculates B-A.

I already have the logic to change the color of (D) if it's less than (A).

Thanks

Re: New field with conditional value

scelikok — Fri, 12 Feb 2021 07:38:33 GMT

Hi @owulz,

Are these fields in table columns or rows? Solution would be different. If you can share your current SPL of that creates that table, we can provide solution easier.

Re: New field with conditional value

owulz — Fri, 12 Feb 2021 07:50:30 GMT

Hi scelikok, thanks for answering.

These are fields created as part of a query search within a table, so each field is a column with a single status result each, so I get 3 columns.

Started, Successful, Failed.

I'm trying to dynamically calculate a 4th field that I'll insert between Started and Successful, to say InProgress.

For those three fields, taking the example of the first, after the index... sourcetype... host.... I have | stats count(eval(searchmatch("search string"))) as "Started". There are three of these. I assumed I'd be able to append something like | eval diff(Successful-Started) as "InProgress"

Re: New field with conditional value

scelikok — Fri, 12 Feb 2021 08:05:16 GMT

Thank you @owulz,

It is clear now. You can use the eval command to calculate a new field (You are very close)

| eval InProgress = Successful-Started

Re: New field with conditional value

owulz — Fri, 12 Feb 2021 08:42:32 GMT

That worked a treat @scelikok - thank you so much!

Re: New field with conditional value

owulz — Fri, 12 Feb 2021 11:27:38 GMT

Can I just ask a follow up?

My new field now works well. There are occasions where the value is <0. In such cases I want it to show 0. Any value 0 or above stays as is. I tried the following which is to create another field that checks the original newly created field and if <0, use 0 else use original value.

I get an error but not sure why. I had used a researched article.

index=a0_designeng_generic_app_audit_prd sourcetype=cba:designeng:as400:syslog host="MIDINT01.CBA.COM.AU"
| stats
count(eval(searchmatch("BACKUP AND CPF1124"))) as "Started"
count(eval(searchmatch("BACKUP AND CPF1164 AND SUCCESS"))) as "Successful"
count(eval(searchmatch("BACKUP AND CPF1164 AND FAILURE"))) as "Failed"
| eval running1 = Started-(Successful+Failed) | rename running as "Running1"
| eval running2 = case(Running1<0, 0, Running1>= 0, Running1) | rename running as "Running"

The last statement above is the one that the editor says has an error.

The original article link: https://docs.splunk.com/Documentation/SCS/current/SearchReference/ConditionalFunctions

Section Extended example.

Appreciate any help.

Thanks

Re: New field with conditional value

scelikok — Fri, 12 Feb 2021 11:39:00 GMT

Hi @owulz,

I couldn't guess the error but below should work;

index=a0_designeng_generic_app_audit_prd sourcetype=cba:designeng:as400:syslog host="MIDINT01.CBA.COM.AU" | stats count(eval(searchmatch("BACKUP AND CPF1124"))) as "Started" count(eval(searchmatch("BACKUP AND CPF1164 AND SUCCESS"))) as "Successful" count(eval(searchmatch("BACKUP AND CPF1164 AND FAILURE"))) as "Failed" | eval Running = Started-(Successful+Failed) | eval Running = case(Running<0, 0,1=1,Running)

Re: New field with conditional value

owulz — Sat, 13 Feb 2021 02:06:59 GMT

Hi again,

I think there may have been an error in this:

| eval Running = case(Running<0, 0,1=1,Running)

I didn't understand the part ... ,1=1,

I am using below, but getting the error on the second statement: Error on line 434: Unencoded <

| eval Running = Started-(Successful+Failed)
| eval Running = case(Running<0, 0, Running >=0, Running)

Strange as the syntax appears to me to be the same as in the earlierexample (via link I posted).

Not sure why it doesn't like with the syntax I used.

Re: New field with conditional value

owulz — Sat, 13 Feb 2021 02:26:18 GMT

I should have mentioned that first I used the last statement exactly as you suggested, but that too returned the same error "Unencoded <"

Re: New field with conditional value

owulz — Mon, 22 Mar 2021 13:11:11 GMT

Hi - I have an interestnig follow up..

The query section of code in my dashboard panel looks like this at the moment...

<query>
index=myindex sourcetype=bla:linux:syslog host="server.bla.COM" ABCEVENT
| stats
count(eval(searchmatch("BACKUP AND CPF1124"))) as "Started"
count(eval(searchmatch("BACKUP AND CPF1164 AND SUCCESS"))) as "Successful"
count(eval(searchmatch("BACKUP AND CPF1164 AND FAILURE"))) as "Failed"
| eval Running=if(Started-(Successful+Failed) >= 0, Started-(Successful+Failed), 0)
| table Started, Running, Successful, Failed
</query>

The field Running is a calculated field which works, but not well as it relies on data that may notbe unreliable.

I want to replace the value that is displayed for field Running with something like the following (based on new data I send to splunk). Idea is to fetch only the last occurence of this event from the past 5 minutes. The event returned will essentially include a count value that I want to extra and use in my panel as a statistic.

index=myindex sourcetype=bla:linux:syslog host="server.bla.COM" ABCEVENT *NONSBS earliest=-5m | eventstats max(_time) as maxtime | where _time=maxtime

When I do above as a regular Splunk search, I get a single event returned which is perfect.

I already created a field extraction which always shows up as an available field in my search results. It's called Jobs_Running.

What I would like to do is to replace this ...

| eval Running=if(Started-(Successful+Failed) >= 0, Started-(Successful+Failed), 0)

With something similar to the above search string, adapted to work within the existing panel, so that I can display the new value for "Running" along side the existing fields "Started", "Successful" and "Failed".

Is there a way to do this?

One thing I'm not sure about is whether I can pull in the already extracted field (Jobs_Running) that ia visible when I do a regular search or do I need to perform a field extraction on the fly?

The expression is: ^(?:[^ \n]* ){9}(?P<Jobs_Running>\d+)

Thanks