topic Re: Splunk search in Splunk Search

Can you help me fix my Splunk search?

uagraw01 — Wed, 26 Jul 2023 17:14:59 GMT

Hello Splunkers!!

I am facing an issue while running below search. As you can see in the screenshot. Can anyone help me to fix this issue.

search query :

Screenshot for a query error:

Re: Splunk search

caiosalonso — Wed, 26 Jul 2023 16:04:33 GMT

Hi @uagraw01,

Have you tried to get more information about the warning in the job inspector? If job inspector contains any logs related to the execution of this query It would be helpful to find what is causing the warning.

Re: Splunk search

uagraw01 — Wed, 26 Jul 2023 16:26:45 GMT

@caiosalonso
Below is the suggested possible solution

Re: Can you help me fix my Splunk search?

uagraw01 — Fri, 28 Jul 2023 09:42:26 GMT

Does anyone suggest me the what the values I should pass to complete the search ?

| makeresults | addinfo | eval earliest=max(trunc(info_min_time),info_min_time), latest=min(max(trunc(info_max_time),(info_max_time + 0)),2000000000) | map search="search `indextime`>=`bin($earliest$,300)` `indextime`<`bin($earliest$,300,+300)` earliest=`bin($earliest$,300,-10800)` latest=`bin($latest$,300,+300)` `"

Re: Can you help me fix my Splunk search?

ITWhisperer — Thu, 27 Jul 2023 15:37:52 GMT

They look like back-quotes ` which delimit macros - I suspect you should be using single quotes ' for delimiting field names

Re: Can you help me fix my Splunk search?

uagraw01 — Thu, 27 Jul 2023 15:47:34 GMT

@ITWhisperer You are always a savior for me. As suggested I have replaced back quotes with a single quote. No error found but no event generated.

Re: Can you help me fix my Splunk search?

ITWhisperer — Thu, 27 Jul 2023 17:11:33 GMT

Perhaps we need to take a step back - what is it you are actually trying to do because it looks like a complicated way of doing things for which there might be a simpler solution. For example, using the map command can be quite complex and should probably be avoided if possible.

Re: Can you help me fix my Splunk search?

uagraw01 — Fri, 28 Jul 2023 07:55:10 GMT

@ITWhisperer The complete search is below where we are using macro scada_alarms, that is why we are using map command. Is there anything which I need to fix here.

| makeresults | addinfo | eval earliest=max(trunc(info_min_time),info_min_time),latest=min(max(trunc(info_max_time),info_max_time+0),2000000000) | map search="search 'indextime'>='bin($earliest$,300)' 'indextime'<'bin($earliest$,300,+300)' 'earliest='bin($earliest$,300,-10800)'' 'latest='bin($latest$,300,+300)' `scada_alarms`\ | where _time>=`bin($earliest$,300,-10800)` AND _time<`bin($latest$,300,+900)`'" |`maintain(index=si_error,source=scada,group=\\\"isc_id,error\\\",status=status,info=\\\"area,zone,equipment,element,error_status,operator_id\\\",span=300,earliest=$earliest$,latest=$latest$,extrapolate_condition=\\\"time-start_time <= 172800\\\")`")`\

Re: Can you help me fix my Splunk search?

ITWhisperer — Thu, 27 Jul 2023 17:47:38 GMT

Since you are using macros, you may want to go back to using back-quotes, but in order for us to me able to help you, you should post the expanded version of the search ctrl-shift-E

Use search macros in searches - Splunk Documentation

Re: Can you help me fix my Splunk search?

uagraw01 — Fri, 28 Jul 2023 07:56:20 GMT

@ITWhisperer I have tried both the methods but with complete search macro is not producing any result. But in last I have paste the macro

| makeresults | addinfo | eval earliest=max(trunc(info_min_time),info_min_time),latest=min(max(trunc(info_max_time),info_max_time+0),2000000000) | map search="search `indextime`>=`bin($earliest$,300)` `indextime`<`bin($earliest$,300,+300)`earliest=`bin($earliest$,300,-10800)` `latest=`bin($latest$,300,+300)'``scada_alarms`\| where _time>=`bin($earliest$,300,-10800)` AND _time<`bin($latest$,300,+900)`\ `maintain(index=si_error,source=scada,group=\\\"isc_id,error\\\",status=status,info=\\\"area,zone,equipment,element,error_status,operator_id\\\",span=300,earliest=$earliest$,latest=$latest$,extrapolate_condition=\\\"time-start_time <= 172800\\\")`")`\| where false()

==============COMPLETE MACRO=======

index=ABC sourcetype="ABC" "EquipmentEventReport.EquipmentEvent.Detail.State" IN("CAME_IN","WENT_OUT") | fields _raw | spath output=equipment_event path="EquipmentEventReport.EquipmentEvent" | fields - _raw | mvexpand equipment_event | spath input=equipment_event output=error_status path="Detail.State" | where error_status IN("CAME_IN","WENT_OUT") | spath input=equipment_event output=_time path="Detail.EventTime" | spath input=equipment_event output=operator_id path="Detail.OperatorID" | spath input=equipment_event output=area path="ID.Location.PhysicalLocation.AreaID" | spath input=equipment_event output=zone path="ID.Location.PhysicalLocation.ZoneID" | spath input=equipment_event output=equipment path="ID.Location.PhysicalLocation.EquipmentID" | spath input=equipment_event output=element path="ID.Location.PhysicalLocation.ElementID" | spath input=equipment_event output=error path="ID.MIS_Address" | fields - equipment_event | eval area=`format_area_id(area)`, zone=`format_zone_id(zone)`, equipment=`format_equipment_id(equipment)`, element=`format_element_id(element)`, isc_id = `to_location(area,zone,equipment,element)`, element=if(tonumber(element) > 0, element, null()) | lookup isc id AS isc_id OUTPUTNEW statistical_subject | lookup detail_status mis_address AS error component_type_id AS statistical_subject OUTPUTNEW alarm_severity | where alarm_severity in ("Safety","High","Medium","Low") | eval _time=strptime(_time, "%Y-%m-%dT%H:%M:%S.%N%Z"), status=if(error_status="WENT_OUT",null(),error) | fields _time area zone equipment element isc_id error error_status operator_id status

Re: Can you help me fix my Splunk search?

ITWhisperer — Thu, 27 Jul 2023 18:13:54 GMT

If I am reading this correctly, scada_alarms is a macro that expands to the part you have headed "cOMPLETE MACRO" and you are attempting to use this macro inside a map search?

If this is the case, it is possible that the macro is expanded before the map command is execute and since the macro has double quotes in, this is probably terminating the search string at this point and the remainder of the expanded macro is then parsed as part of the main search which is then failing - is this what could be going on?

Re: Can you help me fix my Splunk search?

uagraw01 — Thu, 27 Jul 2023 18:26:10 GMT

@ITWhisperer Yes I want to use that macro in the map command. And do you want me to remove double quotes from here >>> | map search="search

Below is the complete search :

addinfo
| eval earliest=max(trunc(info_min_time),info_min_time),latest=min(max(trunc(info_max_time),info_max_time+0),2000000000)
| map search="search 'indextime'>='bin($earliest$,300)' 'indextime'<'bin($earliest$,300,+300)' 'earliest='bin($earliest$,300,-10800)'' 'latest='bin($latest$,300,+300)' `scada_alarms`\
| where _time>=`bin($earliest$,300,-10800)` AND _time<`bin($latest$,300,+900)`'"
|`maintain(index=si_error,source=scada,group=\\\"isc_id,error\\\",status=status,info=\\\"area,zone,equipment,element,error_status,operator_id\\\",span=300,earliest=$earliest$,latest=$latest$,extrapolate_condition=\\\"time-start_time <= 172800\\\")`")`\

Re: Can you help me fix my Splunk search?

ITWhisperer — Fri, 28 Jul 2023 05:08:11 GMT

Rather than using the map command (which doesn't appear to expand macros), you could try something like this

[| makeresults | addinfo | eval search=`indextime`.">=".`bin(info_min_time,300)`." ".`indextime`."<".`bin(info_min_time,300,+300)`." earliest=".`bin(info_min_time,300,-10800)`." latest=".`bin(info_max_time,300,+300)` | fields search] `scada_alarms`

Or you may need to manually expand the indextime and bin macros (I have no idea what these are!)

Re: Can you help me fix my Splunk search?

uagraw01 — Fri, 28 Jul 2023 06:58:04 GMT

@ITWhisperer The search which have mentioned is not giving any error but no event is populating while running.

Re: Can you help me fix my Splunk search?

uagraw01 — Fri, 28 Jul 2023 07:56:44 GMT

@ITWhisperer Macro for `indextime'

Re: Can you help me fix my Splunk search?

ITWhisperer — Fri, 28 Jul 2023 09:32:34 GMT

What about the macro for bin?

Re: Can you help me fix my Splunk search?

ITWhisperer — Fri, 28 Jul 2023 09:34:39 GMT

It is hard to see from the graphic, but are there single quotes or back-quotes around the indextime and bin macros? They need to be back-quotes for macros. (This is counter to my original suggestion as it wasn't clear at the time that you were using so many macros.)

Re: Can you help me fix my Splunk search?

uagraw01 — Mon, 31 Jul 2023 05:23:43 GMT

@ITWhisperer Below is the macro for bin

Re: Can you help me fix my Splunk search?

uagraw01 — Mon, 31 Jul 2023 12:07:59 GMT

@ITWhisperer I think I am very close for the execution of the search. Please suggest what should I do next ?

Re: Can you help me fix my Splunk search?

ITWhisperer — Mon, 31 Jul 2023 12:38:59 GMT

[| makeresults | addinfo | eval search="_indextime>=".tostring(300*trunc(info_min_time/300))." _indextime<".tostring((300*trunc(info_min_time/300))+300)." earliest=".tostring((300*trunc(info_min_time/300))-10800)." latest=".tostring((300*trunc(info_max_time/300))+300) | fields search] `scada_alarms`