Re: help with if-else statement

sarit_s · ‎05-10-2020

Hello,

I have this query :

index="prod" eventtype="csm-messages-dhcpd-lpf-eth0-sending" OR eventtype="csm-messages-dhcpd-lpf-eth0-listening" OR eventtype="csm-messages-dhcpd-send-socket-fallback-net" OR eventtype="csm-messages-dhcpd-write-zero-leases" OR eventtype="csm-messages-dhcpd-eth1-nosubnet-declared" 
| timechart span=1m count BY eventtype

which gives me results that looks like this :

_time csm-messages-dhcpd-eth1-nosubnet-declared csm-messages-dhcpd-lpf-eth0-listening csm-messages-dhcpd-lpf-eth0-sending csm-messages-dhcpd-send-socket-fallback-net csm-messages-dhcpd-write-zero-leases
2019-08-05 10:24:00 1 1 1 1 1

I have few questions :
1. is there a way to write the query in such way that will return more than 5000 results?
2. how can i check this terms:
If count is not equal for all rules:
Find timestamps of instances that don’t match count
For each unique timestamp from the previous step, alert “CSM DHCP Anomaly” as ”Medium”

thanks

gcusello · ‎05-10-2020

Hi @sarit_s,
I'm not sure that you can satisfy all your needs, anyway:
for the first request use stats instead timechart

index="prod" eventtype="csm-messages-dhcpd-lpf-eth0-sending" OR eventtype="csm-messages-dhcpd-lpf-eth0-listening" OR eventtype="csm-messages-dhcpd-send-socket-fallback-net" OR eventtype="csm-messages-dhcpd-write-zero-leases" OR eventtype="csm-messages-dhcpd-eth1-nosubnet-declared" 
| bin span=1m _time
| chart count OVER _time BY eventtype

But are you sure to want more than 5000 results? it's very difficoult to read these results!

For the second question the command to use is rare at the end of the search:

index="prod" eventtype="csm-messages-dhcpd-lpf-eth0-sending" OR eventtype="csm-messages-dhcpd-lpf-eth0-listening" OR eventtype="csm-messages-dhcpd-send-socket-fallback-net" OR eventtype="csm-messages-dhcpd-write-zero-leases" OR eventtype="csm-messages-dhcpd-eth1-nosubnet-declared" 
| bin span=1m _time
| stats count BY _time eventtype
| rare _time eventtype

For the third question you alread have the value but grouped by span, if you want the exact vale, try something like this.

index="prod" eventtype="csm-messages-dhcpd-lpf-eth0-sending" OR eventtype="csm-messages-dhcpd-lpf-eth0-listening" OR eventtype="csm-messages-dhcpd-send-socket-fallback-net" OR eventtype="csm-messages-dhcpd-write-zero-leases" OR eventtype="csm-messages-dhcpd-eth1-nosubnet-declared" 
| stats count BY _time eventtype
| rare _time eventtype

Ciao.
Giuseppe

sarit_s · ‎05-10-2020

hi, thanks for your answer but it is not what i asked for.. i don't need the percentage of the results..
i need the results as they were in the first query and need to check on the results if there are some raws that don't have same count

gcusello · ‎05-10-2020

Hi @sarit_s,
try this:

index=_internal
| bin span=10m _time
| stats count AS my_count BY source _time showperc=false
| rare source,_time BY my_count
| sort my_count
| head 10

that related to your example is

index="prod" eventtype="csm-messages-dhcpd-lpf-eth0-sending" OR eventtype="csm-messages-dhcpd-lpf-eth0-listening" OR eventtype="csm-messages-dhcpd-send-socket-fallback-net" OR eventtype="csm-messages-dhcpd-write-zero-leases" OR eventtype="csm-messages-dhcpd-eth1-nosubnet-declared" 
| bin span=1m _time
| stats count AS my_count BY _time eventtype
| rare _time eventtype By my_count showperc=false
| sort my_count
| head 10

I setted a threeshold of the first 10, but you can choose a different one.
If the most events have the same value, you could use perc to find the different values.

Ciao.
Giuseppe

sarit_s · ‎05-11-2020

thanks for your answer.. can you please explain how it is answering my question ?

gcusello · ‎05-11-2020

Hi @sarit_s,
Using this search you have the results grouped for occurrencies, so you can have the values different than the most events, I cannot see any other way to have the differences than the usual value, unless there is a possibility to prevently define the waited value.

Ciao.
Giuseppe

sarit_s · ‎05-11-2020

i think i did not explain myself well...

let say i have 5 different eventtypes..
each one of them gets count value..
for the example, each one of them gets the value 1..
if the count value of all the eventtypes is equal than all is OK. but if the value is not equal i have to act as written in the question.. so.. if 4 of the eventtypes has the value 1 and one of them has the value 0 than it is not OK. i have to find those rows where there is different between the count value for each time stamp.
after i will find this i have to do the rest of the description in my question..

to4kawa · ‎05-10-2020

 index="prod" eventtype="csm-messages-dhcpd-lpf-eth0-sending" OR eventtype="csm-messages-dhcpd-lpf-eth0-listening" OR eventtype="csm-messages-dhcpd-send-socket-fallback-net" OR eventtype="csm-messages-dhcpd-write-zero-leases" OR eventtype="csm-messages-dhcpd-eth1-nosubnet-declared" 
| bin span=1min _time
| stats count by _time eventtype

sarit_s · ‎05-10-2020

thanks for your answer but it is not giving the wanted results

to4kawa · ‎05-10-2020

really?

this display over 5000 rows.

I can't answer Q2 because there is not the detail.

sarit_s · ‎05-10-2020

Hey,
maybe it display more than 50000 but not the right results 🙂
any way, the main thing is Q2..
i will try to explain it better..
i have 5 eventtypes.. each one of them has count value..
the good scenario is when the count value of all the eventtypes is equal.. so i want to check if this value is equal (for each raw) and if not to do what is written in my question..

help with if-else statement

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes