topic How to evaluate and add if condition on stats data? in Splunk Search

How to evaluate and add if condition on stats data?

rkishoreqa — Wed, 12 Oct 2022 09:16:01 GMT

Hi team,

I created one query with rex command and stats command, it is working fine. Now I need to add another column which can evaluate the error details and should display the status as 'ignore' or 'follow-up'.

The query looks like - index=dev_master souce="testing source" |rex field=_raw "Error desc : (?<Err>[^\"|\<] |stats count by Err.

The result is looks like below :

Err count

server timeout, try after sometime 5
Web service error 8
Address element not found 2

Now I want to enhance the above query to get the output like below.

Err count Action

server timeout, try after sometime 5 Ignore
Web service error 8 follow-up
Address element not found 2 Ignore

Can anyone help me on this.

Thanks in Advance.

Re: How to evaluate and add if condition on stats data?

PickleRick — Wed, 12 Oct 2022 09:31:14 GMT

You have your Err and count available as normal fields so there's no problem with doing a eval with if or a lookup based on either of those fields. If you want to do a lookup based on some original field or content of the _raw before aggregation, you shouldn't have used the stats (yet) because you've already aggregated the data and lost the original events.

Re: How to evaluate and add if condition on stats data?

jdunlea — Wed, 12 Oct 2022 16:38:54 GMT

Agree with @Anonymous.

You could add on something like the following to your search:

...< original search > ... | eval action=case(Err="server timeout, try after sometime","Ignore",Err="Web service error","follow-up",Err="Address element not found","Ignore")

The challenge with the above is that you may need to create a case statement for many different values of the Err field, depending on what you want to set the Action field to.

Alternatively, if there will only ever be two values for Action (I.E. "Follow-Up" and "Ignore"), then you could do something like the following and adjust it as needed.

... < original search > ... | eval Action=if(Err="Web service error" OR Err="Something else" OR Err="another thing","Follow-Up","Ignore")

This will assign "Follow-Up" to the specific Err values that you call out, and then assign "Ignore" to everything else.

Re: How to evaluate and add if condition on stats data?

rkishoreqa — Thu, 13 Oct 2022 07:29:08 GMT

@jdunlea
I have written the case statement, it is working fine. But some times we are getting the log like "Address element not found - <<text>> ". I used the search predicates *, %, + for this <<text>>, but it is not working.

Can you please let me know the exact search predicate for this <<text>> inside the double quotes and in Case statement.

Re: How to evaluate and add if condition on stats data?

jdunlea — Thu, 13 Oct 2022 13:32:26 GMT

You can do it using a match() statement within your case statement as follows:

...< original search > ... | eval action=case(Err="server timeout, try after sometime","Ignore",match(Err,"Web service error"),"follow-up",Err="Address element not found","Ignore")

Hope this helps!

Re: How to evaluate and add if condition on stats data?

PickleRick — Thu, 13 Oct 2022 16:14:31 GMT

If I understand you correctly, you tried to do something like that:

| eval field=if(field="*value*", [...])

Or something similar. In other words - you tried to match to a wildcarded string with a simple equality comparison, right?

Splunk doesn't work that way.

I know it can get confusing sometimes but this form of wildcard matching (field=value_*with_wildcards) works only with the search command (which includes the implicit search at the beginning of your pipeline.

Otherwise the equality operator is treated exactly as in - for example - programming languages and checks for equality (with a possible exception for multivalued fields but let's not dig into that at this point).

So in order to match a value against a partial pattern you need to use a matching function like:

like()
match()
searchmatch()

See https://docs.splunk.com/Documentation/Splunk/9.0.1/SearchReference/ConditionalFunctions for detailed description and examples