topic Re: help with if-else statement in Splunk Search

help with if-else statement

sarit_s — Sun, 10 May 2020 07:10:07 GMT

Hello,

I have this query :

index="prod" eventtype="csm-messages-dhcpd-lpf-eth0-sending" OR eventtype="csm-messages-dhcpd-lpf-eth0-listening" OR eventtype="csm-messages-dhcpd-send-socket-fallback-net" OR eventtype="csm-messages-dhcpd-write-zero-leases" OR eventtype="csm-messages-dhcpd-eth1-nosubnet-declared" 
| timechart span=1m count BY eventtype

which gives me results that looks like this :

_time csm-messages-dhcpd-eth1-nosubnet-declared csm-messages-dhcpd-lpf-eth0-listening csm-messages-dhcpd-lpf-eth0-sending csm-messages-dhcpd-send-socket-fallback-net csm-messages-dhcpd-write-zero-leases
2019-08-05 10:24:00 1 1 1 1 1

I have few questions :
1. is there a way to write the query in such way that will return more than 5000 results?
2. how can i check this terms:
If count is not equal for all rules:
Find timestamps of instances that don’t match count
For each unique timestamp from the previous step, alert “CSM DHCP Anomaly” as ”Medium”

thanks

Re: help with if-else statement

to4kawa — Sun, 10 May 2020 08:57:06 GMT

 index="prod" eventtype="csm-messages-dhcpd-lpf-eth0-sending" OR eventtype="csm-messages-dhcpd-lpf-eth0-listening" OR eventtype="csm-messages-dhcpd-send-socket-fallback-net" OR eventtype="csm-messages-dhcpd-write-zero-leases" OR eventtype="csm-messages-dhcpd-eth1-nosubnet-declared" 
| bin span=1min _time
| stats count by _time eventtype

Re: help with if-else statement

gcusello — Sun, 10 May 2020 09:20:15 GMT

Hi @sarit_s,
I'm not sure that you can satisfy all your needs, anyway:
for the first request use stats instead timechart

index="prod" eventtype="csm-messages-dhcpd-lpf-eth0-sending" OR eventtype="csm-messages-dhcpd-lpf-eth0-listening" OR eventtype="csm-messages-dhcpd-send-socket-fallback-net" OR eventtype="csm-messages-dhcpd-write-zero-leases" OR eventtype="csm-messages-dhcpd-eth1-nosubnet-declared" 
| bin span=1m _time
| chart count OVER _time BY eventtype

But are you sure to want more than 5000 results? it's very difficoult to read these results!

For the second question the command to use is rare at the end of the search:

index="prod" eventtype="csm-messages-dhcpd-lpf-eth0-sending" OR eventtype="csm-messages-dhcpd-lpf-eth0-listening" OR eventtype="csm-messages-dhcpd-send-socket-fallback-net" OR eventtype="csm-messages-dhcpd-write-zero-leases" OR eventtype="csm-messages-dhcpd-eth1-nosubnet-declared" 
| bin span=1m _time
| stats count BY _time eventtype
| rare _time eventtype

For the third question you alread have the value but grouped by span, if you want the exact vale, try something like this.

index="prod" eventtype="csm-messages-dhcpd-lpf-eth0-sending" OR eventtype="csm-messages-dhcpd-lpf-eth0-listening" OR eventtype="csm-messages-dhcpd-send-socket-fallback-net" OR eventtype="csm-messages-dhcpd-write-zero-leases" OR eventtype="csm-messages-dhcpd-eth1-nosubnet-declared" 
| stats count BY _time eventtype
| rare _time eventtype

Ciao.
Giuseppe

Re: help with if-else statement

sarit_s — Sun, 10 May 2020 10:14:46 GMT

hi, thanks for your answer but it is not what i asked for.. i don't need the percentage of the results..
i need the results as they were in the first query and need to check on the results if there are some raws that don't have same count

Re: help with if-else statement

sarit_s — Sun, 10 May 2020 10:26:30 GMT

thanks for your answer but it is not giving the wanted results

Re: help with if-else statement

to4kawa — Sun, 10 May 2020 20:41:42 GMT

really?

this display over 5000 rows.

I can't answer Q2 because there is not the detail.

Re: help with if-else statement

sarit_s — Mon, 11 May 2020 06:39:10 GMT

Hey,
maybe it display more than 50000 but not the right results 🙂
any way, the main thing is Q2..
i will try to explain it better..
i have 5 eventtypes.. each one of them has count value..
the good scenario is when the count value of all the eventtypes is equal.. so i want to check if this value is equal (for each raw) and if not to do what is written in my question..

Re: help with if-else statement

gcusello — Mon, 11 May 2020 06:57:39 GMT

Hi @sarit_s,
try this:

index=_internal
| bin span=10m _time
| stats count AS my_count BY source _time showperc=false
| rare source,_time BY my_count
| sort my_count
| head 10

that related to your example is

index="prod" eventtype="csm-messages-dhcpd-lpf-eth0-sending" OR eventtype="csm-messages-dhcpd-lpf-eth0-listening" OR eventtype="csm-messages-dhcpd-send-socket-fallback-net" OR eventtype="csm-messages-dhcpd-write-zero-leases" OR eventtype="csm-messages-dhcpd-eth1-nosubnet-declared" 
| bin span=1m _time
| stats count AS my_count BY _time eventtype
| rare _time eventtype By my_count showperc=false
| sort my_count
| head 10

I setted a threeshold of the first 10, but you can choose a different one.
If the most events have the same value, you could use perc to find the different values.

Ciao.
Giuseppe

Re: help with if-else statement

sarit_s — Mon, 11 May 2020 08:20:47 GMT

thanks for your answer.. can you please explain how it is answering my question ?

Re: help with if-else statement

gcusello — Mon, 11 May 2020 08:54:37 GMT

Hi @sarit_s,
Using this search you have the results grouped for occurrencies, so you can have the values different than the most events, I cannot see any other way to have the differences than the usual value, unless there is a possibility to prevently define the waited value.

Ciao.
Giuseppe

Re: help with if-else statement

sarit_s — Mon, 11 May 2020 09:17:15 GMT

i think i did not explain myself well...

let say i have 5 different eventtypes..
each one of them gets count value..
for the example, each one of them gets the value 1..
if the count value of all the eventtypes is equal than all is OK. but if the value is not equal i have to act as written in the question.. so.. if 4 of the eventtypes has the value 1 and one of them has the value 0 than it is not OK. i have to find those rows where there is different between the count value for each time stamp.
after i will find this i have to do the rest of the description in my question..