topic Re: eval returning null value for a looked up field in Splunk Search

eval returning null value for a looked up field

ffrig — Mon, 28 Sep 2020 16:37:14 GMT

I have a query which I need to chart with an overlay with a static baseline figure (maxiops) which is retrieved by looking up a couple of fields in a csv file (DISKTYPE and SPEED). This returns MAX_IOPS.

I'm using 6.1 and thought this would be nice and easy, but it appears that MAX_IOPS is being treated as NULL so I cannot plot the line. If I hardcode maxiops=75 etc it works.

Any ideas how I can use the MAX_IOPS field for plotting the static line? The value is not dependent on the number of disks (PDID) returned. It's just based on DISKTYPE and SPEED.

index=ssa source="dbmon-tail://3Par-System-Reporter/statpd_hires" 3par_array_name=f400xlt01 DISKTYPE=NL SPEED=* PDID=17 OR PDID=18 | eval total_iops=(((d_rcount + d_wcount) * 1000000)/d_now_msec) | eval read_iops=((d_rcount * 1000000)/d_now_msec) | eval write_iops=((d_wcount * 1000000)/d_now_msec) | timechart span=1m max(read_iops) as "Read IOPs", max(write_iops) as "Write IOPs" by PDID | eval maxiops=if(isnull(MAX_IOPS),"yes","no")

Many thanks!

Re: eval returning null value for a looked up field

MuS — Thu, 15 May 2014 11:57:35 GMT

Hi ffrig,

I not sure if i understand it completely, but what I see is that you set maxiops with the last eval to either yes or no and this cannot be charted in timechart.....

maybe you should try something like this as last eval:

 eval maxiops=if(isnull(MAX_IOPS), "75", MAX_IOPS)

this will set maxiops to either the value of MAX_IOPS or if the field is empty to 75. Or this one:

 eval myMaxIOPS="75" | eval maxiops=coalesce(MAX_IOPS, myMaxIOPS)

this will set a new field first and use in the second eval either MAX_IOPS if it exists or myMaxIOPS.

cheers, MuS

Re: eval returning null value for a looked up field

ffrig — Thu, 15 May 2014 12:18:17 GMT

Thanks MuS. I'll try your suggestions.

The last eval "isnull" part was just to show that it's been set to null. I should have taken that out I suppose!

I don't understand why MAX_IOPS is NULL though?

Re: eval returning null value for a looked up field

MuS — Thu, 15 May 2014 12:31:41 GMT

so you got a field named MAX_IOPS which contains numeric values?

Re: eval returning null value for a looked up field

ffrig — Mon, 28 Sep 2020 16:37:27 GMT

The problem is that MAX_IOPS is NULL and I can't see why it is.

The value is retrieved via a lookup:

~props.conf:
LOOKUP-ssa-3par-iops = ssa-3par-performance DISKTYPE SPEED OUTPUTNEW MAX_IOPS MAX_MBS

~transforms.conf:
[ssa-3par-performance]
filename = ssa_3par_iops.csv

[root@vspindexlt03 local]# cat ../lookups/ssa_3par_iops.csv
DISKTYPE,SPEED,MAX_IOPS,MAX_MBS
NL,7,75,30
FC,10,150,45
FC,15,200,45

This is working as I see it in the events, but I get a NULL for MAX_IOPS when charting with:

Re: eval returning null value for a looked up field

ffrig — Mon, 28 Sep 2020 16:37:30 GMT

index=ssa source="dbmon-tail://3Par-System-Reporter/statpd_hires" 3par_array_name=v400xlt01 | table DISKTYPE SPEED MAX_IOPS

returns MAX_IOPS as 75, 150, 200 depending on the search criteria so that looks fine.

Re: eval returning null value for a looked up field

MuS — Mon, 28 Sep 2020 16:37:33 GMT

facepalm your MAX_IOPS field is 'gone' after the timechart! Add is like max(MAX_IOPS) AS MAX_IOPS to the timechart and you should be fine ....

Re: eval returning null value for a looked up field

ffrig — Mon, 28 Sep 2020 16:37:36 GMT

Hi MuS

That works but I get a MAX_IOPS per PDID which isn't what I need. I just need one MAX_IOPS for all PDIDs.

Re: eval returning null value for a looked up field

MuS — Thu, 15 May 2014 13:59:26 GMT

Yes, your timechart is by or per PDID. Since you have three different MAX_IOPS in your lookup you will get back three different values. If you only need one either set only one in the lookup or do it like you did in the beginning and set it 'static' using eval.

Re: eval returning null value for a looked up field

ffrig — Thu, 15 May 2014 14:51:03 GMT

Thanks. I only get one MAX_IOPS but per PDID returned.
I can't set just one in the lookup as FC and NL types have different values. I need to select one of these based on what someone sets on the dashboard.

Basically I just need the lookup value based on what someone selects for DISKTYPE and SPEED and plot that independently of anything else. As I'm trying to overlay this on the chart, I don't think that's possible?

I suppose I could do it with one massive if statement instead of the lookup but that kind of defeats the object :>(