hi @_pravin,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Hi @gcusello ,

Thanks for responding.

I figured out that the report was not being shown because of the eval command in the search. ( marked in red)

When I remove the line and save the report, I can see the report when the filter is applied.

Not sure how could the eval command affect the report.

Regards,

Pravin

HI @_pravin .

probably the eval doesn't always match so all the other commands, that use the Module field don't work.

Check if you really need this conditiion and try to replace with the isnull() function.

ciao.

Gioseppe

Hi @gcusello ,

Even I feel that the eval command doesn't always match and so the SPL is not working.

I tried the isnull(), len()>0, and even reversing the condition to look for empty cells, but neither of them worked.

Thanks,

Pravin

Hi @_pravin,

please debug your search deleting all the raws until raw before the eval command: what's the value of the Module field?

have you empty values or not?

Please, share your search also in text format.

Ciao.

Giuseppe

Hi @gcusello ,

The SPL is actually a report, so the data has not even been sent to the function t has been invoked. 

I tried to add just the one line to the report and noticed that the report just disappears. 

I am also attaching the code below

| mstats sum("mx.process.logs") as count WHERE "index"="mx_metrics" mx.env=$mx.env$ log.type=log span=10s BY pid service.name replica.name service.type module.names severity host cmd mx.env\ 
| rename module.names as Module 
| rename host as Hostname 
| rename severity as lvl 
| rename pid as PID 
| eval Module=if(Module!="",Module,"UNDEFINED") 
| eval temp=split(Module,",") 
| mvexpand temp 
| eval recipient=("MX_MONITORING_".temp . "@mx.com") 
| fields - temp 
| rename _time as timestamp 
| mvcombine delim="," recipient 
| rename timestamp as _time 
| fields _time count PID service.name replica.name service.type Module lvl Hostname cmd mx.env recipient 
| sort 0 - _time 
| stats values(service.name) as Services values(replica.name) as Replicas values(PID) as PIDs values(Hostname) as Hosts sum(count) as Count_Of_Errors earliest_time(replica.name) as Earliest_Error_Time latest_time(replica.name) as Latest_Error_Time values(lvl) as Severities values(recipient) as Owners by Module mx.env 
| eval Earliest_Error_Time=strftime(Earliest_Error_Time,"%d/%m/%y %H:%M:%S") 
| eval Latest_Error_Time=strftime(Latest_Error_Time,"%d/%m/%y %H:%M:%S") 
| table Module Services Replicas PIDs Hosts Count_Of_Errors Earliest_Error_Time Latest_Error_Time Severities mx.env

I tried using the line in an another report, and the other report also disapperas in the report filter. Now I feel that this is more of a bug that a code functionality issue.

Please let me know what you feel about this?

Regards,

Pravin

Hi @_pravin ,

as I said, if you run 

| mstats sum("mx.process.logs") as count WHERE "index"="mx_metrics" mx.env=$mx.env$ log.type=log span=10s BY pid service.name replica.name service.type module.names severity host cmd mx.env\ 
| rename module.names as Module 
| rename host as Hostname 
| rename severity as lvl 
| rename pid as PID 

have you null (or similar) values for the Module field?

Ciao.

Giuseppe

hi @gcusello ,

I get an empty cell for the column Module. 

Regards,

Pravin

Hi @_pravin ,

see in interesting fields: have you empty values or you don't have values?

Ciao.

Giuseppe

Hi @gcusello ,

When I run the below search, I get results like these. Not sure if this is empty value or no value.

Regards,

Pravin

Hi @_pravin ,

sorry I wasn't clear; in the events tab, see in the interesting fields if the empty value is present in the Module fields or not.

Ciao.

Giuseppe

Hi @gcusello ,

The empty values are present in interesting fields.

Regards,

Pravin

Hi @_pravin ,

did you tried the inverse condition:

| eval Module=if(Module="*",Module,"UNDEFINED") 

Ciao.

Giuseppe

Hi @gcusello ,

I tried the inverse condition as well, but didn't work.

Regards,

Pravin