All Apps and Add-ons

Conflicting multiple values using eval command

lloydknight
Builder

Hello Guys,

What I'm trying to achieve is that show all the "NOT OKAY" field value from the stats.
There's a conflict to my "OKAY" and "NOT OKAY" values.

Can anyone guide me on how to show all the "NOT OKAY" to the summary field?

Tried replacing the case with ~ | eval z=if((y=1 OR swapUsedPct1=1 OR CommandCount1=1),"NOT OKAY","OKAY")

but I'm getting the same result.

Here's my Search:

index=os host=local* 
| multikv fields swapUsedPct 
| eval swapUsedPct1=if(swapUsedPct>=10,1,0)
| append [search index=os host=local* source=ps   
| multikv 
| search S=Z PID=* COMMAND=*  
| eventstats dc(PID) AS CommandCount by host
| eval CommandCount1=if(CommandCount>=10,1,0)]
| append [search index=os host=local* source=ps 
| multikv 
| rex field=ELAPSED "(?<daytrend>(\d+\-?))" 
| eval daytrend=replace (daytrend,"-","")  
| eval daytrend=tonumber(trim(daytrend)) 
| eval x=(182-daytrend) 
| eval y=if(x<=1,1,0)]
| eval summary = case(y=1 OR swapUsedPct1=1 OR CommandCount1=1, "NOT OKAY", (y=0 OR swapUsedPct1=0 OR CommandCount1=0), "OKAY", (y=2 OR swapUsedPct1=2 OR CommandCount1=2), "NULL") 
| stats latest(summary) AS Status BY host  
| sort + Status

P.S.
Yep, I know my search can still be optimized 🙂

Thank you kindly!

1 Solution

richgalloway
SplunkTrust
SplunkTrust

I suspect there is nothing correlating the three searches to each other. Consider replacing the append commands with join host. This is less efficient, but may work better.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

I suspect there is nothing correlating the three searches to each other. Consider replacing the append commands with join host. This is less efficient, but may work better.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

lloydknight
Builder

yep, your suspicion is spot on! Thank you!

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Please accept the answer.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Your code is doing exactly what it ought to, as far as I can tell. This code generates all 27 possible conditions for test purposes

| makeresults 
| eval y = "0 1 2" | makemv y | mvexpand y 
| eval swapUsedPct1 = "0 1 2" | makemv swapUsedPct1 | mvexpand swapUsedPct1
| eval CommandCount1= "0 1 2"  | makemv CommandCount1 | mvexpand CommandCount1  
| sort y swapUsedPct1 CommandCount1
| streamstats count as RecNo
| table RecNo y swapUsedPct1 CommandCount1

Your case statement processes the above output

 | eval summary = case(y=1 OR swapUsedPct1=1 OR CommandCount1=1, "NOT OKAY", (y=0 OR swapUsedPct1=0 OR CommandCount1=0), "OKAY", (y=2 OR swapUsedPct1=2 OR CommandCount1=2), "NULL")

resulting in

RecNo           y               swapUsedPct1    CommandCount1   summary        
1               0               0               0               OKAY           
2               0               0               1               NOT OKAY       
3               0               0               2               OKAY           
4               0               1               0               NOT OKAY       
5               0               1               1               NOT OKAY       
6               0               1               2               NOT OKAY       
7               0               2               0               OKAY           
8               0               2               1               NOT OKAY       
9               0               2               2               OKAY           
10              1               0               0               NOT OKAY       
11              1               0               1               NOT OKAY       
12              1               0               2               NOT OKAY       
13              1               1               0               NOT OKAY       
14              1               1               1               NOT OKAY       
15              1               1               2               NOT OKAY       
16              1               2               0               NOT OKAY       
17              1               2               1               NOT OKAY       
18              1               2               2               NOT OKAY       
19              2               0               0               OKAY           
20              2               0               1               NOT OKAY       
21              2               0               2               OKAY           
22              2               1               0               NOT OKAY       
23              2               1               1               NOT OKAY       
24              2               1               2               NOT OKAY       
25              2               2               0               OKAY           
26              2               2               1               NOT OKAY       
27              2               2               2               NULL           

Which results do you find to be in error?


Updated test code to look cleaner and simpler.

lloydknight
Builder

hello DalJeanis and thank you for your answer. Yes, the search is fine..if I'll break down the searches into three (removing the | append).

My error is that swapUsedPct's result is only appearing for some reason and I think the append is the cause.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

So you're saying swapUsedPct has a value and the other two fields are null?

Have you tried this case statement? case(y=1 OR swapUsedPct1=1 OR CommandCount1=1, "NOT OKAY", (y=0 AND swapUsedPct1=0 AND CommandCount1=0), "OKAY", 1=1, "NULL")

---
If this reply helps you, an upvote would be appreciated.
0 Karma

lloydknight
Builder

I mean, swapUsedPct1, CommandCount1, and y have values but my Status table only shows that swapUsedPct1 got the right values and CommandCount1 and y's values were not correct.
But if I will break down the searches into three, I am getting the right values for everything.

swapUsedPct1
index=os host=local*
| multikv fields swapUsedPct
| eval swapUsedPct1=if(swapUsedPct>=10,"NOT OKAY","OKAY")
| stats latest(swapUsedPct1) AS swapUsedPct1 by host

CommandCount1
index=os host=local* source=ps

| multikv
| search S=Z PID=* COMMAND=*

| eventstats dc(PID) AS CommandCount by host
| eval CommandCount1=if(CommandCount>=10,"NOT OKAY","OKAY")
| stats latest(CommandCount1) AS CommandCount1 by host

y
index=os host=local* source=ps
| multikv
| rex field=ELAPSED "(?(\d+-?))"
| eval daytrend=replace (daytrend,"-","")

| eval daytrend=tonumber(trim(daytrend))
| eval x=(182-daytrend)
| eval y=if(x<=1,"NOT OKAY","OKAY")
| stats latest(y) AS y by host

This searches are good on their own. But if I will use eval case and consolidate all of these three searches, the result is not the same. There's actually no NULL value on this one. Just made that up to fill up the case.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

What do you mean by 'a conflict to my "OKAY" and "NOT OKAY" values' ?

---
If this reply helps you, an upvote would be appreciated.
0 Karma

lloydknight
Builder

I'm showing the Status by host, Status consists of swapUsedPct, CommandCount, and y.

If swapUsedPct is NOT OKAY, CommandCount is OKAY, and y is OKAY, the result of the Status should be NOT OKAY regardless of the OKAY values on other fields.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Have you verified the values of swapUsedPct1, CommandCount1, and y>?

---
If this reply helps you, an upvote would be appreciated.
0 Karma

lloydknight
Builder

yes and my current search is not producing the result that I'm expecting. Originally, these are 3 searches consolidated into 1 search.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!