topic Re: Conditional Success/Fail in Splunk Search

Conditional Success/Fail

Memphis — Tue, 18 Jun 2024 15:50:50 GMT

Hi all -

I am trying to create what I would think is a relatively simple conditional statement in Splunk.

Use Case:

I merely want to know if a job has passed or failed; the only thing that is maybe tricky about this is the only message we get for pass or fail look like:

msg.message="*Work Flow Passed | for endpoint XYZ*" OR msg.message="*STATUS - FAILED*"

I have tried to create a conditional statement based on the messaging but I either return NULL value or the wrong value. If I try:

index=*app_pcf cf_app_name="mddr-batch-integration-flow" msg.message="*Work Flow Passed | for endpoint XYZ*" OR msg.message="*STATUS - FAILED*" | eval Status=if('message.msg'="*Work Flow Passed | for endpoint XYZ*","SUCCESS", "FAIL") | table _time, Status

Then it just shows Status as FAIL (which, i know is objectively wrong because the only message produced for this event is "work flow passed..." which should induce a TRUE value and display "SUCCESS").

If I try another way:

index=*app_pcf cf_app_name="mddr-batch-integration-flow" msg.message="*Work Flow Passed | for endpoint XYZ*" OR msg.message="*STATUS - FAILED*" | eval Status=case(msg.message="*Work Flow Passed | for endpoint XYZ*", "SUCCESS", msg.message="*STATUS - FAILED*", "FAIL") | table _time, Status

I receive NULL value for the STATUS field...

If it helps, this is how the event looks when i don't add any conditional statement or table:

How can I fix this?? Thanks!

Re: Conditional Success/Fail

P_vandereerden — Tue, 18 Jun 2024 17:14:05 GMT

In conditionals, use "like" instead:

It also helps to rename fields with paths to avoid the need for quoting them.

Re: Conditional Success/Fail

Memphis — Tue, 18 Jun 2024 22:00:27 GMT

Thanks for the help Paul! I have tried your tips:

index=*app_pcf cf_app_name="mddr-batch-integration-flow" msg.message="*Work Flow Passed | for endpoint Atmtransaction*" | rename msg.message as message | eval Status=if(like(message,"%Work Flow Passed | for endpoint Atmtransaction%"),"SUCCESS", "FAIL") | table _time, message, Status

And now I have added the correct message (workflow Passed) however the Status is still showing as FAIL...

Re: Conditional Success/Fail

bowesmana — Tue, 18 Jun 2024 23:49:23 GMT

Your data has a lower case 'a' for atmtransaction and your like statement as 'A'

If you want to use like() then add in lower(), i.e.

| eval Status=if(like(lower(message),"%work flow passed | for endpoint atmtransaction%"),"SUCCESS", "FAIL")

NB: match(message, regex) is an alternative to like, so you only need to match the part you are interested in, not the entire string, the match equivalent would be

| eval Status=if(match(message,"(?i)work flow passed \| for endpoint atmtransaction"),"SUCCESS", "FAIL")

Re: Conditional Success/Fail

Memphis — Thu, 20 Jun 2024 18:53:26 GMT

god blessit, i feel so dumb now lol. Fixing the "a" from upper to lowercase was all I needed to do. Thank you for catching that, i didn't realize that the capitalization would have an effect, but I see now why it does.

Thanks again, everyone works great now.