Installation

Splunk DB Connect 1: Why is HTTPStatus not returning a value while using an eval field pulled from a database connection?

mbuschle
Explorer

I'm running into an issue with httpstatus not returning a value while using an eval field pulled from a database connection. I have a database that contains a list of Web Servers. My goal is to pull this list and use an eval statement to concatenate the server name into a url field. I will then pass that url into httpstatus.

My issue is that when I create this field and pass it to httpstatus, the command returns no information. It doesn't return a 0, which would be an error, it just doesn't return a status at all. Below is the search I'm using.

|dbquery "database" "SELECT SERVER FROM DLVRYIMPL_VE_DEVICE WHERE ISONLINE = 1 AND ROWNUM = 1" | eval url="http://".SERVER. ":80/userdata/_qc_/_qc_/e8/e858eb10-4fea-43e8-89cc-87cb0d531d53/qumu_48b4c6fd644e41e395e8c51b962fdc01Med.mp4?origin=10.10.10.10:80;server2:80" | httpstatus | table url, httpstatus

I've confirmed that the url I've created is valid and that it does work. If I copy the url I've created directly from the results and paste it into a eval field directly (not using the concatenation), httpstatus will return a result of 200. That search can be found below.

 | eval url="http://server:80/userdata/_qc_/_qc_/e8/e858eb10-4fea-43e8-89cc-87cb0d531d53/qumu_48b4c6fd644e41e395e8c51b962fdc01Med.mp4?origin=10.10.10.10:80;server2:80" | dedup url | httpstatus | table url, httpstatus

It appears to me that Splunk may not be passing the concatenated field in as text, but I can't determine a good way to troubleshoot that. Also, I should note that I've had to modify the httpstatus.py file to allow it to work within my internal environment. However, I've also tested with the original script and the results are identical.

Any help in troubleshooting this issue would be appreciated.

0 Karma
1 Solution

sideview
SplunkTrust
SplunkTrust

The answer is really weird it looks like. Reading its python source, httpstatus command for some reason is only written to do the work if there happens to be a field called "_raw". So I would try this.

|dbquery "database" "SELECT SERVER FROM DLVRYIMPL_VE_DEVICE WHERE ISONLINE = 1 AND ROWNUM = 1" | eval url="http://".SERVER. ":80/userdata/qc/qc/e8/e858eb10-4fea-43e8-89cc-87cb0d531d53/qumu_48b4c6fd644e41e395e8c51b962fdc01Med.mp4?origin=10.10.10.10:80;server2:80" | eval _raw="silly_httpstatus_workaround" | httpstatus | table url, httpstatus

View solution in original post

sideview
SplunkTrust
SplunkTrust

The answer is really weird it looks like. Reading its python source, httpstatus command for some reason is only written to do the work if there happens to be a field called "_raw". So I would try this.

|dbquery "database" "SELECT SERVER FROM DLVRYIMPL_VE_DEVICE WHERE ISONLINE = 1 AND ROWNUM = 1" | eval url="http://".SERVER. ":80/userdata/qc/qc/e8/e858eb10-4fea-43e8-89cc-87cb0d531d53/qumu_48b4c6fd644e41e395e8c51b962fdc01Med.mp4?origin=10.10.10.10:80;server2:80" | eval _raw="silly_httpstatus_workaround" | httpstatus | table url, httpstatus

mbuschle
Explorer

You are correct, it does look weird but it also works. Thanks for the help. Maybe Nimish will see this question and be able to shed some light on why we need to have the _raw field.

0 Karma

sideview
SplunkTrust
SplunkTrust

My first thought is that maybe the SERVER value coming out of dbquery has a trailing or leading space character but it sounds like you've ruled that out. And one very long longshot, is to try putting | nomv SERVER right after the dbquery command.

0 Karma

mbuschle
Explorer

Yes, I did think of the leading or trailing space, and have made sure to eliminate any but that didn't seem to be a problem. Also, I did just try the | nomv Server, but that also didn't make any difference. Thanks for the ideas.

0 Karma
Get Updates on the Splunk Community!

Happy CX Day to our Community Superheroes!

Happy 10th Birthday CX Day!What is CX Day? It’s a global celebration recognizing innovation and success in the ...

Check out This Month’s Brand new Splunk Lantern Articles

Splunk Lantern is a customer success center providing advice from Splunk experts on valuable data insights, ...

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...