Other Usage

How to Break the eval condition in 3 line?

man03359
Communicator

Hi All,

I am trying to build a search query for an alert and below is the condition-

| eval status=if(((src="DB_Rebuild_Indexes_UpdateStats_MDM" OR src="DB_Stop_IndexRebuild_Jobs") AND (JobExecTime>39600 OR message="failed")) 
OR (src="RetailAutonomyDataSync" AND (JobExecTime>21600 OR message="failed"))
OR (src="RetailAutonomyPromotionsDataSync" AND (JobExecTime>4000 OR message="failed"))
OR (src="retailautonomyfileage" AND (((Fname="mdmdat" OR Fname="omsdat") AND Age>240) OR (Fname="promodat" AND Age>120)))
OR (src="retaillineitemdup" AND Count>0)
OR (src="esbmessagecount" AND MsgCount>5),"Down","Up")
| stats count count(eval(status="Down")) AS Down latest(_time) as _time BY Device Store src host Chain StoreNum Domain

 But I am facing difficulty at line 4-

OR (src="retailautonomyfileage" AND (((Fname="mdmdat" OR Fname="omsdat") AND Age>240) OR (Fname="promodat" AND Age>120)))It is reading all 3 filenames as one (Fname).

It is taking all 3 file names (Fname=mdmdat,omsdat,promodat) as one and hence I am getting the incorrect count for the src=retailautonomyfileage

I am trying to break the condition of line no 4 into 3 parts within the eval condition itself.

 

Thanks in advance.

Labels (1)
0 Karma

man03359
Communicator

Here is the attachment of the output.

Hope this helps.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @man03359 ,

let me understand: the Fname field is a single value or a multivalue field, before the stats command?

If it's a multivalue, you have to separate them using "mvexpand" command (https://docs.splunk.com/Documentation/SCS/current/SearchReference/MvexpandCommandOverview#:~:text=Th....).

If it's a single value field there isn't no reasong to have the described behaviour.

Anyway, (I cannot test but it should work), if it's a single value field, you could try to use separated evals:

| eval 
   status=if(((src="DB_Rebuild_Indexes_UpdateStats_MDM" OR src="DB_Stop_IndexRebuild_Jobs") AND (JobExecTime>39600 OR message="failed")),"Down",""),
   (src="RetailAutonomyDataSync" AND (JobExecTime>21600 OR message="failed")),"Down",""), 
   (src="RetailAutonomyPromotionsDataSync" AND (JobExecTime>4000 OR message="failed")),"Down",""),
   (src="retailautonomyfileage" AND (((Fname="mdmdat" OR Fname="omsdat") AND Age>240) OR (Fname="promodat" AND Age>120)))
OR (src="retaillineitemdup" AND Count>0)
OR (src="esbmessagecount" AND MsgCount>5),"Down","")
| stats count count(eval(status="Down")) AS Down latest(_time) as _time BY Device Store src host Chain StoreNum Domain

Ciao.

Giuseppe

0 Karma

man03359
Communicator

Is Fname is a multivalue field having 3 values : mdmdat, omsdat and promodat.

The problem is in this line -

(src="retailautonomyfileage" AND (((Fname="mdmdat" OR Fname="omsdat") AND Age>240) OR (Fname="promodat" AND Age>120)))

It is giving the count of src incorrect, it is reading all the 3 fnames as one.

I am trying to break them in 3 conditions using Fname so that it counts the individual Fname at once.

eg. (src="retailautonomyfileage" AND Fname="mdmdat" AND Age>240) lly for other 2 Fnames.

 

Hope I am able to explain.

 

Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @man03359 ,

ok, it can have one of the three values or there are more values for the same event?

Could you share a sample of your logs, highlighting the values?

Ciao.

Giuseppe

0 Karma

man03359
Communicator

I am attaching the output and the entire search query -

 

The count for source (src=retailautonomyfileage) is coming as 18 instead of 6 only because it is counting all the 3 Fnames at once. 

This can come in 3 separate counts for 3 Fnames.

Search query-

index="idx-stores-misc" source="C:\\TJXLogs\\Verify\\SQLLogs\\*" sourcetype="Store:SQLLogs:json" host=stp* (host="*.stp.local" OR host="*.tjxcorp.net") NOT host="stp-675*"
| rex field=host "^(?<Device>[^\.]+)\.(?<Domain>.*)$"
| rex field=source "SQLLogs.(?<src>\D+)_"
| rex field=message "job.(?<message>\w+)."
| lookup Stores_Inventory Device OUTPUT DeviceType Store Chain StoreNum
| where DeviceType="SQL" AND NOT src="sqlserveruptime" AND NOT src="ordertracking"
| eval status=if(((src="DB_Rebuild_Indexes_UpdateStats_MDM" OR src="DB_Stop_IndexRebuild_Jobs") AND (JobExecTime>39600 OR message="failed"))
OR (src="RetailAutonomyDataSync" AND (JobExecTime>21600 OR message="failed"))
OR (src="RetailAutonomyPromotionsDataSync" AND (JobExecTime>4000 OR message="failed"))
OR (src="retailautonomyfileage" AND (((Fname="mdmdat" OR Fname="omsdat") AND Age>240) OR (Fname="promodat" AND Age>120)))
OR (src="retaillineitemdup" AND Count>0)
OR (src="esbmessagecount" AND MsgCount>5),"Down","Up")
| stats count count(eval(status="Down")) AS Down latest(_time) as _time BY Device Store src host Chain StoreNum Domain
| eval Status=if(Down=count AND count>0, "0", "1")

 

 

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...