Splunk Search

Can you help me fix my Splunk search?

uagraw01
Builder

Hello Splunkers!!

I am facing an issue while running below search. As you can see in the screenshot. Can anyone help me to fix this issue.

 

search query :

 | makeresults
| addinfo
| eval earliest=max(trunc(info_min_time),info_min_time),latest=min(max(trunc(info_max_time),info_max_time+0),2000000000)
| map search="search `indextime`>=`bin($earliest$,300)` `indextime`<`bin($earliest$,300,+300)` earliest=`bin($earliest$,300,-10800)` latest=`bin($latest$,300,+300)``"
| where false()

Screenshot for a query error:

uagraw01_0-1690386717076.png

 

 

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
[| makeresults
| addinfo
| eval search="_indextime>=".tostring(300*trunc(info_min_time/300))." _indextime<".tostring((300*trunc(info_min_time/300))+300)."  earliest=".tostring((300*trunc(info_min_time/300))-10800)." latest=".tostring((300*trunc(info_max_time/300))+300)
| fields search] `scada_alarms`

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

They look like back-quotes ` which delimit macros - I suspect you should be using single quotes ' for delimiting field names

0 Karma

uagraw01
Builder

@ITWhisperer  You are always a savior for me. As suggested I have replaced back quotes with a single quote. No error found but no event generated.

 

uagraw01_0-1690472781055.png

 

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Perhaps we need to take a step back - what is it you are actually trying to do because it looks like a complicated way of doing things for which there might be a simpler solution. For example, using the map command can be quite complex and should probably be avoided if possible.

0 Karma

uagraw01
Builder

@ITWhisperer The complete search is below where we are using macro scada_alarms, that is why we are using map command. Is there anything which I need to fix here.

| makeresults
| addinfo
| eval earliest=max(trunc(info_min_time),info_min_time),latest=min(max(trunc(info_max_time),info_max_time+0),2000000000)
| map search="search 'indextime'>='bin($earliest$,300)' 'indextime'<'bin($earliest$,300,+300)' 'earliest='bin($earliest$,300,-10800)'' 'latest='bin($latest$,300,+300)' `scada_alarms`\
| where _time>=`bin($earliest$,300,-10800)` AND _time<`bin($latest$,300,+900)`'"
|`maintain(index=si_error,source=scada,group=\\\"isc_id,error\\\",status=status,info=\\\"area,zone,equipment,element,error_status,operator_id\\\",span=300,earliest=$earliest$,latest=$latest$,extrapolate_condition=\\\"time-start_time <= 172800\\\")`")`\
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Since you are using macros, you may want to go back to using back-quotes, but in order for us to me able to help you, you should post the expanded version of the search ctrl-shift-E

Use search macros in searches - Splunk Documentation

0 Karma

uagraw01
Builder

@ITWhisperer  I have tried both the methods but with complete search macro is not producing any result. But in last I have paste the macro 

| makeresults
| addinfo
| eval earliest=max(trunc(info_min_time),info_min_time),latest=min(max(trunc(info_max_time),info_max_time+0),2000000000)
| map search="search `indextime`>=`bin($earliest$,300)` `indextime`<`bin($earliest$,300,+300)`earliest=`bin($earliest$,300,-10800)` `latest=`bin($latest$,300,+300)'``scada_alarms``")`

 

| makeresults
| addinfo
| eval earliest=max(trunc(info_min_time),info_min_time),latest=min(max(trunc(info_max_time),info_max_time+0),2000000000)
| map search="search `indextime`>=`bin($earliest$,300)` `indextime`<`bin($earliest$,300,+300)`earliest=`bin($earliest$,300,-10800)` `latest=`bin($latest$,300,+300)'``scada_alarms`\| where  _time>=`bin($earliest$,300,-10800)` AND _time<`bin($latest$,300,+900)`\
 `maintain(index=si_error,source=scada,group=\\\"isc_id,error\\\",status=status,info=\\\"area,zone,equipment,element,error_status,operator_id\\\",span=300,earliest=$earliest$,latest=$latest$,extrapolate_condition=\\\"time-start_time <= 172800\\\")`")`\| where false()

==============COMPLETE MACRO=======

index=ABC sourcetype="ABC" "EquipmentEventReport.EquipmentEvent.Detail.State" IN("CAME_IN","WENT_OUT") | fields _raw | spath output=equipment_event path="EquipmentEventReport.EquipmentEvent" | fields - _raw | mvexpand equipment_event | spath input=equipment_event output=error_status path="Detail.State" | where error_status IN("CAME_IN","WENT_OUT") | spath input=equipment_event output=_time path="Detail.EventTime" | spath input=equipment_event output=operator_id path="Detail.OperatorID" | spath input=equipment_event output=area path="ID.Location.PhysicalLocation.AreaID" | spath input=equipment_event output=zone path="ID.Location.PhysicalLocation.ZoneID" | spath input=equipment_event output=equipment path="ID.Location.PhysicalLocation.EquipmentID" | spath input=equipment_event output=element path="ID.Location.PhysicalLocation.ElementID" | spath input=equipment_event output=error path="ID.MIS_Address" | fields - equipment_event | eval area=`format_area_id(area)`, zone=`format_zone_id(zone)`, equipment=`format_equipment_id(equipment)`, element=`format_element_id(element)`, isc_id = `to_location(area,zone,equipment,element)`, element=if(tonumber(element) > 0, element, null()) | lookup isc id AS isc_id OUTPUTNEW statistical_subject | lookup detail_status mis_address AS error component_type_id AS statistical_subject OUTPUTNEW alarm_severity | where alarm_severity in ("Safety","High","Medium","Low") | eval _time=strptime(_time, "%Y-%m-%dT%H:%M:%S.%N%Z"), status=if(error_status="WENT_OUT",null(),error) | fields _time area zone equipment element isc_id error error_status operator_id status

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

If I am reading this correctly, scada_alarms is a macro that expands to the part you have headed "cOMPLETE MACRO" and you are attempting to use this macro inside a map search?

If this is the case, it is possible that the macro is expanded before the map command is execute and since the macro has double quotes in, this is probably terminating the search string at this point and the remainder of the expanded macro is then parsed as part of the main search which is then failing - is this what could be going on?

0 Karma

uagraw01
Builder

@ITWhisperer Yes I want to use that macro in the map command. And do you want me to remove double quotes from here >>> | map search="search

Below is the complete search :

addinfo
| eval earliest=max(trunc(info_min_time),info_min_time),latest=min(max(trunc(info_max_time),info_max_time+0),2000000000)
| map search="search 'indextime'>='bin($earliest$,300)' 'indextime'<'bin($earliest$,300,+300)' 'earliest='bin($earliest$,300,-10800)'' 'latest='bin($latest$,300,+300)' `scada_alarms`\
| where _time>=`bin($earliest$,300,-10800)` AND _time<`bin($latest$,300,+900)`'"
|`maintain(index=si_error,source=scada,group=\\\"isc_id,error\\\",status=status,info=\\\"area,zone,equipment,element,error_status,operator_id\\\",span=300,earliest=$earliest$,latest=$latest$,extrapolate_condition=\\\"time-start_time <= 172800\\\")`")`\

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Rather than using the map command (which doesn't appear to expand macros), you could try something like this

[| makeresults
| addinfo
| eval search=`indextime`.">=".`bin(info_min_time,300)`." ".`indextime`."<".`bin(info_min_time,300,+300)`."  earliest=".`bin(info_min_time,300,-10800)`." latest=".`bin(info_max_time,300,+300)`
| fields search] `scada_alarms`

Or you may need to manually expand the indextime and bin macros (I have no idea what these are!)

 

0 Karma

uagraw01
Builder

@ITWhisperer  I think I am very close for the execution of the search. Please suggest what should I do next ?

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
[| makeresults
| addinfo
| eval search="_indextime>=".tostring(300*trunc(info_min_time/300))." _indextime<".tostring((300*trunc(info_min_time/300))+300)."  earliest=".tostring((300*trunc(info_min_time/300))-10800)." latest=".tostring((300*trunc(info_max_time/300))+300)
| fields search] `scada_alarms`

uagraw01
Builder

@ITWhispererbelow is the error while running the search.

uagraw01_0-1690807292923.png

 

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Since the only macro you appear to be using in that search is scada_alarms this would suggest that this macro is not available to you - please ensure that the macro is available.

0 Karma

uagraw01
Builder

@ITWhisperer  Macro for `indextime'

uagraw01_0-1690530984732.png

 

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What about the macro for bin?

 

0 Karma

uagraw01
Builder

@ITWhisperer  Below is the macro for bin

uagraw01_0-1690781009059.png

 

 

0 Karma

uagraw01
Builder

@ITWhisperer The search which have mentioned is not giving any error but no event is populating while running.

uagraw01_0-1690527434802.png

 

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

It is hard to see from the graphic, but are there single quotes or back-quotes around the indextime and bin macros? They need to be back-quotes for macros. (This is counter to my original suggestion as it wasn't clear at the time that you were using so many macros.)

0 Karma

uagraw01
Builder

Does anyone suggest me the what the values I should pass to complete the search ?

| makeresults
| addinfo
| eval earliest=max(trunc(info_min_time),info_min_time), latest=min(max(trunc(info_max_time),(info_max_time + 0)),2000000000)
| map search="search `indextime`>=`bin($earliest$,300)` `indextime`<`bin($earliest$,300,+300)` earliest=`bin($earliest$,300,-10800)` latest=`bin($latest$,300,+300)` `"

uagraw01_0-1690469778886.png

 

 

 

0 Karma

caiosalonso
Path Finder

Hi @uagraw01,

Have you tried to get more information about the warning in the job inspector? If job inspector contains any logs related to the execution of this query It would be helpful to find what is causing the warning. 

0 Karma
Get Updates on the Splunk Community!

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...