lookup with if statement through eval.

rahul_mckc_splu · ‎07-20-2021

Here is my search

index=abc Status=FAILED | eval exception =if(bucket_name=s3-abc, "yes","no") | stats count by bucket_name exception

now if my bucket name is s3-abc, it would print bucket_name=s3-abc and exception=yes, rest all buckets will fall under exception=no.

Now i need to do this task through a lookup, i have a lookup which is buckets.csv and fields is there bucket_name, so I need to see that lookup if the bucket is there then it should print exception=yes rest it should print exception=no. i am doing like this but not getting anything

ITWhisperer · ‎07-20-2021

If you csv has bucket_name and exception (always set to "yes") you could try this

index=abc Status=FAILED 
| lookup bucket.csv
| fillnull value="no" exception
| stats count by bucket_name exception

rahul_mckc_splu · ‎07-20-2021

no, it does not seems to be the solution. if you can read what I want.

i need to match my lookup then print "yes" or "no" depends upon if that field value exist.

ITWhisperer · ‎07-20-2021

You said you need to find out if bucket name exists in your bucket.csv - this is what lookup does, however, you need a field to look up from the csv, so why not make it exception so the lookup will return exception as yes if it exists in the csv. If this isn't returned, exception will be null, so fillnull can set the nulls to no. Doesn't this get you to the position you wanted i.e. all buckets in the csv will have exception set to yes and all those not in the csv will have exception set to no. If this is not what you are after, please explain your request more clearly.

rahul_mckc_splu · ‎07-20-2021

Here is my search

index=abc Status=FAILED | eval exception =if(bucket_name=s3-abc, "yes","no") | stats count by bucket_name exception

now if my bucket name is s3-abc, it would print bucket_name=s3-abc and exception=yes, rest all buckets will fall under exception=no.

Now i have lookup like this

bucket_name

s3-abc

s3-bcd

s3-bcw

so I need to see that lookup, if the bucket is there then it should print exception=yes rest it should print exception=no. i am doing like this but not getting anything

iindex=abc Status=FAILED | lookup bucket.csv bucket_name| fillnull value="no" exception | stats count by bucket_name exception

then it is not matching and also printing the "yes" it should print if raw logs has any of the buckets in buckets.csv

rahul_mckc_splu · ‎07-20-2021

worked..thanks alot

ITWhisperer · ‎07-20-2021

Can you change your lookup so it is like this?

bucket_name	exception
s3-abc	yes
s3-bcd	yes
s3-bcw	yes

rahul_mckc_splu · ‎07-20-2021

i have 10000 records in raw logs, and i can't maintain all field names in lookup, so i have almost 20-25 exceptions which i am handling in a lookup, and trying to match those in raw logs to have exception printed as "yes" or "no".

rahul_mckc_splu · ‎07-20-2021

My lookup does not have any exception field, and it would not have it. The reason of printing yes and no is to have match field name in lookup.

rahul_mckc_splu · ‎07-20-2021

then it is not matching and also not printing the "yes" , it should print "yes" if raw logs has any of the buckets in buckets.csv it is only printing "no"

ITWhisperer · ‎07-20-2021

Try this:

index=abc Status=FAILED
| join type=left bucket_name [| inputlookup bucket.csv | eval exception="yes"]
| fillnull value="no" exception
| stats count by bucket_name exception

lookup with if statement through eval.

using Splunk Enterprise

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...