topic Re: null variables in eval if in Splunk Search

null variables in eval if

brianpreston — Fri, 19 Jun 2015 04:26:47 GMT

I'm trying to list the last logged event for each permutation of my two logged fields (columns). If the last event was too long ago, I want to output "dead" for that combination of the two columns.

My queries thus far are using eval with if. However I can't get the if statement to work with my column values.

If I make a dummy query,

hello_world_name=* host=* | stats max(timestamp) by hello_world_name, host | eval awol=if(1>0,"dead","live") | fields hello_world_name, host, awol, max(timestamp)

This will output "dead", because 1 > 0 evaluates to true. That seems right ! 🙂

However, this one doesn't work:

hello_world_name=* host=* | stats max(timestamp) by hello_world_name, host | eval awol=if(max(timestamp)<0,"dead","live") | fields hello_world_name, host, awol, max(timestamp)

What happens is, the value in the predicate of the "if" always evaluates to false.

max(timestamp) compared to anything is always false (or null?)
if I replace the tested value with "timestamp", it still doesn't work - "timestamp" compared to anything is always false (or null?)

This one doesn't work either:

hello_world_name=* host=* | stats max(timestamp) as bob by hello_world_name, host | eval awol=if(bob>now(),"dead","live") | fields hello_world_name, host, awol, bob

What happens is, even though "bob" is a real value, as evidenced by the column labeled "bob", no matter if the predicate is set "bob>now()" or "bob<now()", the answer is always as if it is false - the value of awol is "live".

What is the deal? Am I using eval incorrectly? How do I test fields from elsewhere in the query?

Re: null variables in eval if

hogan24 — Fri, 19 Jun 2015 05:34:27 GMT

try adding something like this after your stats command:

| eval awol = max(timestamp)
| table awol

That will show you what awol is calculating to and you can then adjust accordingly.

Re: null variables in eval if

martin_mueller — Fri, 19 Jun 2015 12:12:35 GMT

There's a key misunderstanding in your query.

If a host is "dead", ie has no events in your time range, there won't be any events in your time range. As a result, it won't even have a row to evaluate the awol value for that host.

Another issue, what format is your timestamp field using? Comparing now() with a string won't make sense, for example.

Re: null variables in eval if

woodcock — Fri, 19 Jun 2015 13:08:37 GMT

As @martin_mueller says, there are many fundamental problems with your search including all that he notes but even if everything that he notes is fixed, any time you compare an event's timestamp to now(), it should always be less than; your example is looking for events in the future than have not occurred yet! >now()!

Re: null variables in eval if

brianpreston — Fri, 19 Jun 2015 15:19:57 GMT

Thanks, but the "fields" clause already shows the values -- they are how I know the predicate isn't doing what I want.

Re: null variables in eval if

brianpreston — Fri, 19 Jun 2015 15:21:57 GMT

I'm sorry, I think I left out a key element which I thought would be implied by the fields in the query.

There will be events - they will just be old. My intention is for the final version of the query to test "timestamp" for its difference from now(). For example something like:

if (max(timestamp - now()) > 600, ...

Re: null variables in eval if

woodcock — Fri, 19 Jun 2015 15:26:49 GMT

Some how my answer got clipped; it is repaired now.

Re: null variables in eval if

brianpreston — Fri, 19 Jun 2015 16:57:33 GMT

Thanks woodcock, but that is not the problem. As I mentioned in the text of my question,

What happens is, even though "bob" is
a real value, as evidenced by the
column labeled "bob", no matter if the
predicate is set "bob>now()" or
"bob if it is false - the value of awol is
"live".

Re: null variables in eval if

brianpreston — Fri, 19 Jun 2015 17:00:44 GMT

query:

hello_world_name=* host=* | stats max(timestamp) by hello_world_name, host | eval awol=if(max(timestamp)>0,"dead","live") | fields hello_world_name, host, awol, max(timestamp)

result:

hello_world_name    host    awol    max(timestamp)
1   inabanoirousagi live    2015-02-04 03:32:32,910
bloobloo    inabanoirousagi live    2015-06-18 21:16:43,910
fnord   inabanoirousagi live    2015-06-17 20:43:20,860

query:

hello_world_name=* host=* | stats max(timestamp) as bob by hello_world_name, host | eval awol=if(bob>now(),"dead","live") | fields hello_world_name, host, awol, bob

result:

hello_world_name    host    awol    bob
1   inabanoirousagi live    2015-02-04 03:32:32,910
bloobloo    inabanoirousagi live    2015-06-18 21:16:43,910
fnord   inabanoirousagi live    2015-06-17 20:43:20,860

Re: null variables in eval if

brianpreston — Fri, 19 Jun 2015 17:39:20 GMT

timestamp is still a string, and even max(timestamp) is still a string. It looks like when comparing against integers the answer will always be false.

Ways around this:

use _time instead of the original parsed timestamp. This will be Splunk's guess at the timestamp. I think it might be derived from the field it recognizes as a timestamp.
parse the timestamp field into an integer with strptime . This can be a little dicey, so it's more reliable to use _time