Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Conditional Success/Fail

Memphis
Explorer
‎06-18-2024 08:47 AM

Hi all - 

I am trying to create what I would think is a relatively simple conditional statement in Splunk. 

Use Case: 

I merely want to know if a job has passed or failed; the only thing that is maybe tricky about this is the only message we get for pass or fail look like: 

msg.message="*Work Flow Passed | for endpoint XYZ*" OR msg.message="*STATUS - FAILED*"

I have tried to create a conditional statement based on the messaging but I either return NULL value or the wrong value.  If I try:

 

index=*app_pcf cf_app_name="mddr-batch-integration-flow" msg.message="*Work Flow Passed | for endpoint XYZ*" OR msg.message="*STATUS  - FAILED*"
| eval Status=if('message.msg'="*Work Flow Passed | for endpoint XYZ*","SUCCESS", "FAIL")
| table _time, Status

 

 Then it just shows Status as FAIL (which, i know is objectively wrong because the only message produced for this event is "work flow passed..." which should induce a TRUE value and display "SUCCESS").

If I try another way: 

 

index=*app_pcf cf_app_name="mddr-batch-integration-flow" msg.message="*Work Flow Passed | for endpoint XYZ*" OR msg.message="*STATUS  - FAILED*"
| eval Status=case(msg.message="*Work Flow Passed | for endpoint XYZ*", "SUCCESS", msg.message="*STATUS  - FAILED*", "FAIL")
| table _time, Status

 

I receive NULL value for the STATUS field... 

If it helps, this is how the event looks when i don't add any conditional statement or table:

Memphis_0-1718725841069.png

How can I fix this?? Thanks! 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎06-18-2024 04:49 PM

Your data has a lower case 'a' for atmtransaction and your like statement as 'A'

If you want to use like() then add in lower(), i.e.

| eval Status=if(like(lower(message),"%work flow passed | for endpoint atmtransaction%"),"SUCCESS", "FAIL")

NB: match(message, regex) is an alternative to like, so you only need to match the part you are interested in, not the entire string, the match equivalent would be

| eval Status=if(match(message,"(?i)work flow passed \| for endpoint atmtransaction"),"SUCCESS", "FAIL")

 

View solution in original post

Reply
Solved! Jump to solution

Memphis
Explorer
‎06-18-2024 03:00 PM

Thanks for the help Paul!  I have tried your tips: 

index=*app_pcf cf_app_name="mddr-batch-integration-flow" msg.message="*Work Flow Passed | for endpoint Atmtransaction*"
| rename msg.message as message
| eval Status=if(like(message,"%Work Flow Passed | for endpoint Atmtransaction%"),"SUCCESS", "FAIL")
| table _time, message, Status

And now I have added the correct message (workflow Passed) however the Status is still showing as FAIL... 

Memphis_0-1718748009557.png

 

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎06-18-2024 04:49 PM

Your data has a lower case 'a' for atmtransaction and your like statement as 'A'

If you want to use like() then add in lower(), i.e.

| eval Status=if(like(lower(message),"%work flow passed | for endpoint atmtransaction%"),"SUCCESS", "FAIL")

NB: match(message, regex) is an alternative to like, so you only need to match the part you are interested in, not the entire string, the match equivalent would be

| eval Status=if(match(message,"(?i)work flow passed \| for endpoint atmtransaction"),"SUCCESS", "FAIL")

 

Reply
Solved! Jump to solution

Memphis
Explorer
‎06-20-2024 11:53 AM

god blessit, i feel so dumb now lol.  Fixing the "a" from upper to lowercase was all I needed to do.  Thank you for catching that, i didn't realize that the capitalization would have an effect, but I see now why it does.  

Thanks again, everyone works great now. 

0 Karma
Reply
Solved! Jump to solution

P_vandereerden
Splunk Employee
Splunk Employee
‎06-18-2024 10:11 AM

In conditionals, use "like" instead:

 

| makeresults 
| eval msg.message=mvappend("Work Flow Passed | for endpoint XYZ","STATUS - FAILED") 
| mvexpand msg.message
``` SPL above is to create sample data only ```
| rename msg.message as message
| eval Status=if(like(message,"%Work Flow Passed | for endpoint XYZ%"),"SUCCESS", "FAIL")
| table _time, message, Status

 


It also helps to rename fields with paths to avoid the need for quoting them. 

Paul van der Eerden,
Breaking software for over 20 years.
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...