Splunk Search

Conditional Success/Fail

Memphis
Explorer

Hi all - 

I am trying to create what I would think is a relatively simple conditional statement in Splunk. 

Use Case: 

I merely want to know if a job has passed or failed; the only thing that is maybe tricky about this is the only message we get for pass or fail look like: 

msg.message="*Work Flow Passed | for endpoint XYZ*" OR msg.message="*STATUS - FAILED*"

I have tried to create a conditional statement based on the messaging but I either return NULL value or the wrong value.  If I try:

 

index=*app_pcf cf_app_name="mddr-batch-integration-flow" msg.message="*Work Flow Passed | for endpoint XYZ*" OR msg.message="*STATUS  - FAILED*"
| eval Status=if('message.msg'="*Work Flow Passed | for endpoint XYZ*","SUCCESS", "FAIL")
| table _time, Status

 

 Then it just shows Status as FAIL (which, i know is objectively wrong because the only message produced for this event is "work flow passed..." which should induce a TRUE value and display "SUCCESS").

If I try another way: 

 

index=*app_pcf cf_app_name="mddr-batch-integration-flow" msg.message="*Work Flow Passed | for endpoint XYZ*" OR msg.message="*STATUS  - FAILED*"
| eval Status=case(msg.message="*Work Flow Passed | for endpoint XYZ*", "SUCCESS", msg.message="*STATUS  - FAILED*", "FAIL")
| table _time, Status

 

I receive NULL value for the STATUS field... 

If it helps, this is how the event looks when i don't add any conditional statement or table:

Memphis_0-1718725841069.png

How can I fix this?? Thanks! 

Labels (1)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

Your data has a lower case 'a' for atmtransaction and your like statement as 'A'

If you want to use like() then add in lower(), i.e.

| eval Status=if(like(lower(message),"%work flow passed | for endpoint atmtransaction%"),"SUCCESS", "FAIL")

NB: match(message, regex) is an alternative to like, so you only need to match the part you are interested in, not the entire string, the match equivalent would be

| eval Status=if(match(message,"(?i)work flow passed \| for endpoint atmtransaction"),"SUCCESS", "FAIL")

 

View solution in original post

Memphis
Explorer

Thanks for the help Paul!  I have tried your tips: 

index=*app_pcf cf_app_name="mddr-batch-integration-flow" msg.message="*Work Flow Passed | for endpoint Atmtransaction*"
| rename msg.message as message
| eval Status=if(like(message,"%Work Flow Passed | for endpoint Atmtransaction%"),"SUCCESS", "FAIL")
| table _time, message, Status

And now I have added the correct message (workflow Passed) however the Status is still showing as FAIL... 

Memphis_0-1718748009557.png

 

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Your data has a lower case 'a' for atmtransaction and your like statement as 'A'

If you want to use like() then add in lower(), i.e.

| eval Status=if(like(lower(message),"%work flow passed | for endpoint atmtransaction%"),"SUCCESS", "FAIL")

NB: match(message, regex) is an alternative to like, so you only need to match the part you are interested in, not the entire string, the match equivalent would be

| eval Status=if(match(message,"(?i)work flow passed \| for endpoint atmtransaction"),"SUCCESS", "FAIL")

 

Memphis
Explorer

god blessit, i feel so dumb now lol.  Fixing the "a" from upper to lowercase was all I needed to do.  Thank you for catching that, i didn't realize that the capitalization would have an effect, but I see now why it does.  

Thanks again, everyone works great now. 

0 Karma

P_vandereerden
Splunk Employee
Splunk Employee

In conditionals, use "like" instead:

 

| makeresults 
| eval msg.message=mvappend("Work Flow Passed | for endpoint XYZ","STATUS - FAILED") 
| mvexpand msg.message
``` SPL above is to create sample data only ```
| rename msg.message as message
| eval Status=if(like(message,"%Work Flow Passed | for endpoint XYZ%"),"SUCCESS", "FAIL")
| table _time, message, Status

 


It also helps to rename fields with paths to avoid the need for quoting them. 

Paul van der Eerden,
Breaking software for over 20 years.
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...