topic Re: Eval multiple services in single query in Splunk Search

Eval multiple services in single query

cdevoe57 — Thu, 24 Jul 2025 12:52:39 GMT

I am attempting to run a query that will find the status fo 3 services and list which ones are failed and which ones are running. I only want to display the host that failed and the statuses of those services. The end goal is to create an alert.

The following query produces no results

index="server" host="*" source="Unix:Service"

| eval IPTABLES = if(UNIT=iptables.service AND (ACTIVE="failed" OR ACTIVE="inactive"), "failed", "OK")

| eval AUDITD = if(UNIT=auditd.service AND (ACTIVE="failed" OR ACTIVE="inactive"), "failed", "OK")

| eval CHRONYD = if(UNIT=chronyd.service AND (ACTIVE="failed" OR ACTIVE="inactive"), "failed", "OK")

| dedup host

| table host IPTABLES AUDITD CHRONYD

This query works

index="server" host="*" source="Unix:Service" UNIT=iptables.service

| eval IPTABLES = if(ACTIVE="failed" OR ACTIVE="inactive", "failed", "OK")

| dedup host

| table host IPTABLES

How can I get the query to produce the following results

host IPTABLES AUDITD CHRONYD
server1 failed OK OK

Re: Eval multiple services in single query

livehybrid — Thu, 24 Jul 2025 13:18:15 GMT

Hi @cdevoe57

Does this bit on its own work?

index="server" host="*" source="Unix:Service" UNIT=iptables.service

If not how about

index="server" host="*" source="Unix:Service" UNIT="iptables.service"

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Re: Eval multiple services in single query

ITWhisperer — Thu, 24 Jul 2025 13:22:02 GMT

It depends on your actual data. Please share some sample representative events.

Re: Eval multiple services in single query

cdevoe57 — Thu, 24 Jul 2025 13:43:46 GMT

It is from the TA Nix addon

Re: Eval multiple services in single query

cdevoe57 — Thu, 24 Jul 2025 13:44:43 GMT

Yes, this works

index="server" host="*" source="Unix:Service" UNIT=iptables.service

| eval IPTABLES = if(ACTIVE="failed" OR ACTIVE="inactive", "failed", "OK")

| dedup host

| table host IPTABLES

Re: Eval multiple services in single query

PickleRick — Thu, 24 Jul 2025 14:49:01 GMT

1. The host=* condition is completely unnecessary. It doesn't narrow your search and every event must have the host field. It's a purely aesthetic remark but bloating the search makes it less readable.

2. The dedup command works differently than I suppose you think it does. After "dedup host" you will be left with just one event containing data for the first service returned by the initial search. All subsequent services for this host will be discarded. I don't think it's what you want.

Re: Eval multiple services in single query

cdevoe57 — Thu, 24 Jul 2025 14:56:13 GMT

Excellent Point. Sadly, I knew that.... Must have been a brain cramp

Re: Eval multiple services in single query

bowesmana — Thu, 24 Jul 2025 23:41:12 GMT

This syntax is wrong and will never work

| eval IPTABLES = if(UNIT=iptables.service AND (ACTIVE="failed" OR ACTIVE="inactive"), "failed", "OK")

UNIT is a string, so must be quoted as you have done for the ACTIVE field.

| eval IPTABLES = if(UNIT="iptables.service" AND (ACTIVE="failed" OR ACTIVE="inactive"), "failed", "OK")

You probably want to use

| fields _time host IPTABLES AUDITD CHRONYD | stats latest(*) as * by host

to get you the most recent state

Re: Eval multiple services in single query

PrewinThomas — Fri, 25 Jul 2025 05:02:22 GMT

@cdevoe57
Try below,

index="server" source="Unix:Service" UNIT IN ("iptables.service", "auditd.service", "chronyd.service") | eval status=if(ACTIVE=="failed" OR ACTIVE=="inactive", "failed", "OK") | eval service=case( UNIT=="iptables.service", "IPTABLES", UNIT=="auditd.service", "AUDITD", UNIT=="chronyd.service", "CHRONYD" ) | stats values(status) as status by host service | xyseries host service status | where IPTABLES="failed" OR AUDITD="failed" OR CHRONYD="failed" | table host IPTABLES AUDITD CHRONYD

Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!