topic Re: eval case inside map in Splunk Search

Can I search eval case inside map?

winknotes — Fri, 02 Jun 2023 06:25:15 GMT

Nothing is returned for SOT (assuming NULL). I don't understand what could be wrong. If I run the mstats command as a standalone search it works as expected so I'm guessing it's because it's inside this map command?

Re: eval case inside map

richgalloway — Thu, 01 Jun 2023 18:57:19 GMT

I'll let someone else comment on how mstats works with map. I have an alternative query to try.

Re: eval case inside map

winknotes — Thu, 01 Jun 2023 20:47:07 GMT

That works great. Now is there also a way to grab a couple more values per ArrayName out of the lookup file?

So instead of the table command being:

| table Array_Name Model SOT sgname PctIOPS

it might be:

| table Array_Name Model SOT sgname PctIOPS avgIOPS avg_pred_IOPS

Where avgIOPS and avg_pred_IOPS are fields in the lookup file?

Re: eval case inside map

richgalloway — Thu, 01 Jun 2023 21:10:04 GMT

Change the fields command in the subsearch to return the desired fields. Splunk will expect to find all of the named fields in each event. Also, the names must match what is in the index. If they don't match then insert a rename command before format.

Re: eval case inside map

winknotes — Thu, 01 Jun 2023 21:28:17 GMT

Yes I did use a rename. This is what I'm trying but it doesn't find any results now. The fields command adds an 'AND' to the parenthetical filtering (Array_Name="x" AND avgIOPS=123)

| fields ArrayName avgIOPS | rename ArrayName as Array_Name | format ]

Re: eval case inside map

richgalloway — Fri, 02 Jun 2023 00:20:04 GMT

Yup, that's what I said it would do. If you need to use OR instead of AND then the format command will let you do so. See the Search Reference Manual for details.

Re: eval case inside map

isoutamo — Fri, 02 Jun 2023 07:21:36 GMT

You can use

| format "(" "" "OR" "" "" ")"

or change "(" and ")" to ""

r. Ismo