Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Help with usage of IF / ELSE / WHERE

damucka
Builder
‎06-25-2019 04:17 AM

Hello,
I have the following code (only relevant part for this question):

|rename comment AS " ****************************** Start:    rtedump triggering ************************************************************************  "
 | eval rtetrigger=case(ALERT_TYPE="MAIN" AND trigger=0,"1",1<2,"0")
 | where rtetrigger = 1 AND totalCount > 0
 | append
 [
   | dbxquery query="call \"ML\".\"ML.PROCEDURES::PR_ALERT_TYPE_ANALYSING_LAST_MINUTES_ALL_HOSTS\"('BWP', to_timestamp(to_nvarchar(now(), 'YYYY-MM-DD HH24:MI'),'YYYY-MM-DD HH24:MI'), ?)" connection="HANA_MLBSO"    
     | eval HOST="ls5945/47"
     | eval Existing_Host=HOST 
     | eval FirstPart=substr(Existing_Host,1,4), SecondPart=substr(Existing_Host,5,7), SecondPart=split(SecondPart,"/") 
     | mvexpand SecondPart 
     | eval host_to_trigger=FirstPart+SecondPart
     | dedup host_to_trigger 
     | table host_to_trigger 
   | map maxsearches=20 search="dbxquery query=\"call SYS.MANAGEMENT_CONSOLE_PROC('runtimedump dump','$host_to_trigger$:30240',?)\" connection=\"HANA_MLBSO_BHT\" "
 ] 
|rename comment AS " ****************************  End:       rtedump triggering ***********************************************************************  "

What I would like to achieve is to execute everything under append section ONLY when the conditions rtetrigger = 1 AND totalCount > 0 are met. I used "where" for that, but this is obviously wrong as I realized, I misunderstood the "where" usage. It just filters the previous results.
Now, how would I proceed here?
I would need sth. like "if" or "case", but most of examples I can find for both is combined with eval and I would not exactly know how to fit it all here ...

Kind Regards,
Kamil

0 Karma
Reply

damucka
Builder
‎06-25-2019 07:33 AM

I found the solution in one of the Questions. It implements the token for the map command:

rename comment AS " ****************************** Start:    rtedump triggering ************************************************************************  "
 | eval rtetrigger=case(ALERT_TYPE="MAIN" AND trigger=1,"1",1<2,"0")
 | eval tokenForSecondSearch=case(rtetrigger=1,"true") 

 | eval HOST="ls5945"
 | eval Existing_Host=HOST 
 | eval FirstPart=substr(Existing_Host,1,4), SecondPart=substr(Existing_Host,5,7), SecondPart=split(SecondPart,"/") 
 | mvexpand SecondPart 
 | eval host_to_trigger=FirstPart+SecondPart
 | dedup host_to_trigger 
 | table tokenForSecondSearch host_to_trigger    
 | map maxsearches=20 search="dbxquery query=\"call SYS.MANAGEMENT_CONSOLE_PROC('runtimedump dump','$host_to_trigger$:30240',?)\" connection=\"HANA_MLBSO_BHT\" | eval tokenForSecondSearch=\"$tokenForSecondSearch$\"| fields - tokenForSecondSearch"

 |rename comment AS " ****************************** Stop:    rtedump triggering ************************************************************************  "

Kind Regards,
Kamil

0 Karma
Reply

damucka
Builder
‎06-26-2019 03:09 AM

Hello,

Unfortunately the solution above does not help.
There are cases where the base search does not return any result for the host_to_trigger and also then the tokenForSecondSearch is empty. In such case I am getting an error from the map command complaining about the empty input. I would be even fine with that, but when I have the above in the alert, then the alert does not get executed because of an error.

So, how would I trick the map command above, implement a kind of conditional, that would execute the map only in case when rtetrigger = 0 ?
Or when executing the map I would not return an error back?

Regards,
Kamil

0 Karma
Reply

damucka
Builder
‎06-26-2019 05:24 AM

Again I found the answer in the Questions, this time it looks as follows:

|rename comment AS "In case host_to_trigger / rtetrigger are not set, assign the empty value to it, otherwise there will be an error from the map command"
 | fillnull value="" host_to_trigger
 | fillnull value="" rtetrigger

 | table host_to_trigger rtetrigger    
 | map maxsearches=20 search="dbxquery query=\"call SYS.MANAGEMENT_CONSOLE_PROC('runtimedump dump','$host_to_trigger$:30240',?)\" connection=\"HANA_MLBSO_BHT\" | eval rtetrigger=\"$rtetrigger$\"| fields - rtetrigger"

It works fine.

Regards,
Kamil

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...