topic Re: help on eval condition in Splunk Search

help on eval condition

jip31 — Sat, 23 Nov 2019 06:21:15 GMT

Hi
I use the search below which works fine but I have an issue with my eval command
why i can retrieve the "No SPLUNK Agent" condition even if the splukforwarder name doesnt exists in the event?
thanks

    [| inputlookup host.csv 
    | table host] (index=toto sourcetype="tutu" Type=Service Name="SplunkForwarder" 
| fields Name host 
| dedup host  
| eval "SPLUNK agent status"=if(Name=="SplunkForwarder","SPLUNK Agent is present", "No SPLUNK Agent") 
| stats values("SPLUNK agent status") as "SPLUNK agent status" by host

Re: help on eval condition

to4kawa — Sat, 23 Nov 2019 07:38:33 GMT

Hi,You are searching only for Name is SplunkForwarder in the second line

Re: help on eval condition

gcusello — Wed, 30 Sep 2020 03:07:42 GMT

Hi @jip31,
your search has the limit of 50,000 results in subsearches.
So I hint to change the order of your searches putting search on index as main search and inputlookup in subsearch, something like this;

index=toto sourcetype="tutu" Type=Service Name="SplunkForwarder" 
| eval host=lower(host)
| stats count BY host
| append [ | inputlookup host.csv | eval host=lower(host), count=0 | fields host ]
| stats sum(count) AS Total
| where Total=0

In this way you have all the hosts that are not sending logs. and you can use this search in an alert.

In addition, maybe a search on _internal could give you the same results ( | metasearch index=_internal ) and probably is more accurate and quick.

If you like, you can also display the situation of your servers in graphic mode in a a dashboard using an approach like this:

<form script="table_icons_rangemap.js" stylesheet="table_decorations.css">
  <label>Overview Servers</label>
  <fieldset submitButton="false">
    <input type="time" token="Time">
      <label>Time</label>
      <default>
        <earliest>-15m</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table id="table1">
        <title>Total = $server_count$</title>
        <search>
          <query>
            index=toto sourcetype="tutu" Type=Service Name="SplunkForwarder" 
            | eval host=lower(host)
            | stats count BY host
            | append [ | inputlookup host.csv | eval host=lower(host), count=0 | fields host ]
            | stats sum(count) AS total
            | rangemap field=total elevated=0-0 low=1-10000000000000000000000000 default=severe
            | table host range
            </query>
            <earliest>$Time.earliest$</earliest>
            <latest>$Time.latest$</latest>
            <progress>
               <set token="server_count">$job.resultCount$</set>
            </progress>
            <cancelled>
               <unset token="server_count"></unset>
            </cancelled>
        </search>
        <option name="count">100</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
</form>

You can find more infos about the way yo have graphic mode in the dashboard Table Icon Set (Rangemap) of the Splunk Dashboard Examples App ( https://splunkbase.splunk.com/app/1603/ ) where it's described how to use js and css and which ones to use.

Ciao.
Giuseppe

Re: help on eval condition

arjunpkishore5 — Sat, 23 Nov 2019 13:28:37 GMT

Hi,

You're explicitly filtering to Name="SplunkForwarder" Remove that from the filter (Assuming that index=toto has all the hosts that you are are looking for from host.csv)

index=toto sourcetype="tutu" Type=Service  [| inputlookup host.csv 
     | table host]
 | stats latest(Name) as Name by host 
 | eval "SPLUNK agent status"=if(Name=="SplunkForwarder","SPLUNK Agent is present", "No SPLUNK Agent") 
 | stats values("SPLUNK agent status") as "SPLUNK agent status" by host

if index=toto does not have all hosts, then I would append the file to the end.

index=toto sourcetype="tutu" Type=Service Name=="SplunkForwarder" [| inputlookup host.csv 
         | table host]
| dedup host 
| eval "SPLUNK agent status"="SPLUNK Agent is present"
| append [| inputlookup host.csv 
    | eval "SPLUNK agent status"="No SPLUNK Agent"
    | table host, "SPLUNK agent status"] 
| stats first("SPLUNK agent status") as "SPLUNK agent status" by host

hope this helps

Re: help on eval condition

woodcock — Sat, 23 Nov 2019 16:39:37 GMT

Do your "pretty" renaming at the end and use lookups the right way try this (it will be MUCH more efficient):

index="toto" AND sourcetype="tutu" AND Type="Service" AND Name="SplunkForwarder" 
| rename COMMENT AS "This solution assumes that there is no field 'Name' in the 'host.csv' file" 
| inputlookup append=t host.csv 
| stats values(Name) AS Names dc(Name) AS NameCount BY host 
| lookup host.csv host OUTPUT host AS keepme
| where isnotnull(keepme)
| fields - keepme
| eval Name = if(Name=="SplunkForwarder", "SPLUNK Agent is present", "No SPLUNK Agent") 
| rename Name AS "SPLUNK agent status"

P.S. This has been solved many times including:
Meta Woot!: https://splunkbase.splunk.com/app/2949/
TrackMe: https://splunkbase.splunk.com/app/4621/,
Broken Hosts App for Splunk: https://splunkbase.splunk.com/app/3247/
Alerts for Splunk Admins ("ForwarderLevel" alerts): https://splunkbase.splunk.com/app/3796/
Splunk Security Essentials(https://docs.splunksecurityessentials.com/features/sse_data_availability/): https://splunkbase.splunk.com/app/3435/
Monitoring Console: https://docs.splunk.com/Documentation/Splunk/latest/DMC/Configureforwardermonitoring
Deployment Server: https://docs.splunk.com/Documentation/DepMon/latest/DeployDepMon/Troubleshootyourdeployment#Forwarder_warnings

Re: help on eval condition

jip31 — Sun, 24 Nov 2019 14:20:23 GMT

sorry but it doesnt works
message : Error in 'eval' command: The expression is malformed. An unexpected character is reached at '="SplunkForwarder", "SPLUNK Agent is present", "No SPLUNK Agent")'.
and concerning the inputlookup, i confirm there is no fields "name" in the csv
but your code doesnt match the host there is in the host.csv with the host there is an index
that the reason why I use a subsearch like this : [| inputlookup host.csv
| table host]

Re: help on eval condition

jip31 — Sun, 24 Nov 2019 14:43:21 GMT

hi
yes it seems to be good, I just have to put [| inputlookup host.csv
| table host] otherwise I have an issue
question : instead doing this its not possible to do something like
| eval "SPLUNK agent status"=if(Name==!"SplunkForwarder","SPLUNK Agent is present", "No SPLUNK Agent")??

Re: help on eval condition

to4kawa — Sun, 24 Nov 2019 14:43:22 GMT

 index=toto sourcetype="tutu" Type=Service Name=* 
 | rename COMMENT AS "This solution assumes that there is no field 'Name' in the 'host.csv' file"
 | inputlookup append=t host.csv 
 | stats values(Name) AS Names dc(Name) AS NameCount BY host 
 | eval Name=if(Name=="SplunkForwarder", "SPLUNK Agent is present", "No SPLUNK Agent") 
 | rename Name AS "SPLUNK agent status"

hi, @jip31
Since the argument of inputlookup is append = t , only the host recorded in csv is searched.
@woodcock ,I fixed it.

Re: help on eval condition

woodcock — Sun, 24 Nov 2019 15:20:02 GMT

OOPS! That's what I get for answering on my phone without testing! I forgot the Name = part. I have re-edited my answer and it now works. And I very know understand what you were trying to do with your subsearch and that is exactly why it doesn't work. You need to BOTH merge your 2 datasets together, AND filter the one by the other. Just try the updated (now working) search; It will do exactly what you need in the most efficient way possible. Use lookups with |lookup most of the time because it is unlimited.

P.S. Thanks @to4kawa, for pitching in. You are exactly correct; that is why I had the comment in there about my presumptions about the contents of the lookup. My answer will not work if there is a Name field in the lookup file.

Re: help on eval condition

arjunpkishore5 — Sun, 24 Nov 2019 15:30:02 GMT

Hi @jip31 Yes you can. I just split it to make it easier to understand.