Hi All, I am relatively new to splunk.
I am trying to build a search query and below is the condition of the query-
| eval status=if(((src="DB_Rebuild_Indexes_UpdateStats_MDM" OR src="DB_Stop_IndexRebuild_Jobs") AND (JobExecTime>39600 OR message="failed"))
OR (src="RetailAutonomyDataSync" AND (JobExecTime>21600 OR message="failed"))
OR (src="RetailAutonomyPromotionsDataSync" AND (JobExecTime>4000 OR message="failed"))
OR (src="retailautonomyfileage" AND (((Fname="mdmdat" OR Fname="omsdat") AND Age>240) OR (Fname="promodat" AND Age>120)))
OR (src="retaillineitemdup" AND Count>0)
OR (src="esbmessagecount" AND MsgCount>5),"Down","Up")
| stats count count(eval(status="Down")) AS Down latest(_time) as _time BY Device Store src host Chain StoreNum Domain
I am facing problem in line no 4 which is -
(src="retailautonomyfileage" AND (((Fname="mdmdat" OR Fname="omsdat") AND Age>240) OR (Fname="promodat" AND Age>120)))It is reading all 3 filenames as one (Fname).
The source "retailautonomyfileage has 3 filenames (Fname="mdmdat" , Fname="omsdat", Fname="promodat")
and when I do the stats count, not sure why it is counting the sum of all 3 filenames altogether in the output (18 instead of 6)-
Output-
Device | Store | src | host | Chain | StoreNum | Domain | count |
stp-020sql1 | stp0020 | DB_Rebuild_Indexes_UpdateStats_MDM | stp-020sql1.stp.local | stp | 20 | stp.local | 6 |
stp-020sql1 | stp0020 | DB_Stop_IndexRebuild_Jobs | stp-020sql1.stp.local | stp | 20 | stp.local | 6 |
stp-020sql1 | stp0020 | RetailAutonomyDataSync | stp-020sql1.stp.local | stp | 20 | stp.local | 6 |
stp-020sql1 | stp0020 | RetailAutonomyPromotionsDataSync | stp-020sql1.stp.local | stp | 20 | stp.local | 6 |
stp-020sql1 | stp0020 | esbmessagecount | stp-020sql1.stp.local | stp | 20 | stp.local | 6 |
stp-020sql1 | stp0020 | retailautonomyfileage | stp-020sql1.stp.local | stp | 20 | stp.local | 18 |
stp-020sql1 | stp0020 | retaillineitemdup | stp-020sql1.stp.local | stp | 20 | stp.local | 6 |
stp-089sql1 | stp0089 | DB_Rebuild_Indexes_UpdateStats_MDM | stp-089sql1.stp.local | stp | 89 | stp.local | 6 |
stp-089sql1 | stp0089 | DB_Stop_IndexRebuild_Jobs | stp-089sql1.stp.local | stp | 89 | stp.local | 6 |
I am trying to break it into 3 lines under the search query . eg
(src="retailautonomyfileage1") AND (Fname="mdmdat" AND Age>240))
(src="retailautonomyfileage2" AND (Fname="omsdat" AND Age>240))
(src="retailautonomyfileage3" AND (Fname="promodat" AND Age>120))
Not sure how I can obtain that. Please help.
Thanks in Advance.
If I understand correctly, you could try something like this:
| eval src=case(src="retailautonomyfileage" AND Fname="mdmdat", "retailautonomyfileage1", src="retailautonomyfileage" AND Fname="omsdat", "retailautonomyfileage2", src="retailautonomyfileage" AND Fname="promodat", "retailautonomyfileage3", true(), src)
| eval status=if(((src="DB_Rebuild_Indexes_UpdateStats_MDM" OR src="DB_Stop_IndexRebuild_Jobs") AND (JobExecTime>39600 OR message="failed"))
OR (src="RetailAutonomyDataSync" AND (JobExecTime>21600 OR message="failed"))
OR (src="RetailAutonomyPromotionsDataSync" AND (JobExecTime>4000 OR message="failed"))
OR ((src="retailautonomyfileage1" OR src="retailautonomyfileage2") AND Age>240) OR (src="retailautonomyfileage3" AND Age>120)
OR (src="retaillineitemdup" AND Count>0)
OR (src="esbmessagecount" AND MsgCount>5),"Down","Up")
| stats count count(eval(status="Down")) AS Down latest(_time) as _time BY Device Store src host Chain StoreNum Domain
If I understand correctly, you could try something like this:
| eval src=case(src="retailautonomyfileage" AND Fname="mdmdat", "retailautonomyfileage1", src="retailautonomyfileage" AND Fname="omsdat", "retailautonomyfileage2", src="retailautonomyfileage" AND Fname="promodat", "retailautonomyfileage3", true(), src)
| eval status=if(((src="DB_Rebuild_Indexes_UpdateStats_MDM" OR src="DB_Stop_IndexRebuild_Jobs") AND (JobExecTime>39600 OR message="failed"))
OR (src="RetailAutonomyDataSync" AND (JobExecTime>21600 OR message="failed"))
OR (src="RetailAutonomyPromotionsDataSync" AND (JobExecTime>4000 OR message="failed"))
OR ((src="retailautonomyfileage1" OR src="retailautonomyfileage2") AND Age>240) OR (src="retailautonomyfileage3" AND Age>120)
OR (src="retaillineitemdup" AND Count>0)
OR (src="esbmessagecount" AND MsgCount>5),"Down","Up")
| stats count count(eval(status="Down")) AS Down latest(_time) as _time BY Device Store src host Chain StoreNum Domain
This worked, thanks a lot 🙂
Good day.
Hi @man03359,
as I already asked, do you have the same issue also dividing the eval command by src?
| eval status=if(((src="DB_Rebuild_Indexes_UpdateStats_MDM" OR src="DB_Stop_IndexRebuild_Jobs") AND (JobExecTime>39600 OR message="failed")) ,"Down","Up")
| eval status=if(src="RetailAutonomyDataSync" AND (JobExecTime>21600 OR message="failed")),"Down","Up")
| eval status=if(src="RetailAutonomyPromotionsDataSync" AND (JobExecTime>4000 OR message="failed")),"Down","Up")
| eval status=if(src="retailautonomyfileage" AND (((Fname="mdmdat" OR Fname="omsdat") AND Age>240) OR (Fname="promodat" AND Age>120))),"Down","Up")
| eval status=if(src="retaillineitemdup" AND Count>0),"Down","Up")
| eval status=if(src="esbmessagecount" AND MsgCount>5),"Down","Up")
| stats count count(eval(status="Down")) AS Down latest(_time) as _time BY Device Store src host Chain StoreNum Domain
Ciao.
Giuseppe