Alerting

Help with usage of IF / ELSE / WHERE

damucka
Builder

Hello,
I have the following code (only relevant part for this question):

|rename comment AS " ****************************** Start:    rtedump triggering ************************************************************************  "
 | eval rtetrigger=case(ALERT_TYPE="MAIN" AND trigger=0,"1",1<2,"0")
 | where rtetrigger = 1 AND totalCount > 0
 | append
 [
   | dbxquery query="call \"ML\".\"ML.PROCEDURES::PR_ALERT_TYPE_ANALYSING_LAST_MINUTES_ALL_HOSTS\"('BWP', to_timestamp(to_nvarchar(now(), 'YYYY-MM-DD HH24:MI'),'YYYY-MM-DD HH24:MI'), ?)" connection="HANA_MLBSO"    
     | eval HOST="ls5945/47"
     | eval Existing_Host=HOST 
     | eval FirstPart=substr(Existing_Host,1,4), SecondPart=substr(Existing_Host,5,7), SecondPart=split(SecondPart,"/") 
     | mvexpand SecondPart 
     | eval host_to_trigger=FirstPart+SecondPart
     | dedup host_to_trigger 
     | table host_to_trigger 
   | map maxsearches=20 search="dbxquery query=\"call SYS.MANAGEMENT_CONSOLE_PROC('runtimedump dump','$host_to_trigger$:30240',?)\" connection=\"HANA_MLBSO_BHT\" "
 ] 
|rename comment AS " ****************************  End:       rtedump triggering ***********************************************************************  "

What I would like to achieve is to execute everything under append section ONLY when the conditions rtetrigger = 1 AND totalCount > 0 are met. I used "where" for that, but this is obviously wrong as I realized, I misunderstood the "where" usage. It just filters the previous results.
Now, how would I proceed here?
I would need sth. like "if" or "case", but most of examples I can find for both is combined with eval and I would not exactly know how to fit it all here ...

Kind Regards,
Kamil

0 Karma

damucka
Builder

I found the solution in one of the Questions. It implements the token for the map command:

rename comment AS " ****************************** Start:    rtedump triggering ************************************************************************  "
 | eval rtetrigger=case(ALERT_TYPE="MAIN" AND trigger=1,"1",1<2,"0")
 | eval tokenForSecondSearch=case(rtetrigger=1,"true") 

 | eval HOST="ls5945"
 | eval Existing_Host=HOST 
 | eval FirstPart=substr(Existing_Host,1,4), SecondPart=substr(Existing_Host,5,7), SecondPart=split(SecondPart,"/") 
 | mvexpand SecondPart 
 | eval host_to_trigger=FirstPart+SecondPart
 | dedup host_to_trigger 
 | table tokenForSecondSearch host_to_trigger    
 | map maxsearches=20 search="dbxquery query=\"call SYS.MANAGEMENT_CONSOLE_PROC('runtimedump dump','$host_to_trigger$:30240',?)\" connection=\"HANA_MLBSO_BHT\" | eval tokenForSecondSearch=\"$tokenForSecondSearch$\"| fields - tokenForSecondSearch"

 |rename comment AS " ****************************** Stop:    rtedump triggering ************************************************************************  "

Kind Regards,
Kamil

0 Karma

damucka
Builder

Hello,

Unfortunately the solution above does not help.
There are cases where the base search does not return any result for the host_to_trigger and also then the tokenForSecondSearch is empty. In such case I am getting an error from the map command complaining about the empty input. I would be even fine with that, but when I have the above in the alert, then the alert does not get executed because of an error.

So, how would I trick the map command above, implement a kind of conditional, that would execute the map only in case when rtetrigger = 0 ?
Or when executing the map I would not return an error back?

Regards,
Kamil

0 Karma

damucka
Builder

Again I found the answer in the Questions, this time it looks as follows:

|rename comment AS "In case host_to_trigger / rtetrigger are not set, assign the empty value to it, otherwise there will be an error from the map command"
 | fillnull value="" host_to_trigger
 | fillnull value="" rtetrigger

 | table host_to_trigger rtetrigger    
 | map maxsearches=20 search="dbxquery query=\"call SYS.MANAGEMENT_CONSOLE_PROC('runtimedump dump','$host_to_trigger$:30240',?)\" connection=\"HANA_MLBSO_BHT\" | eval rtetrigger=\"$rtetrigger$\"| fields - rtetrigger"

It works fine.

Regards,
Kamil

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...