Solved: Eval a transaction with conditional statement

aohls · ‎09-11-2019

I am using a transaction to group some jobs and get the timings. In doing so I want to check for certain steps, file download steps. I have the following.

| transaction unifyends=true JobID maxspan=12h | eval duration=round(duration/60, 2) | eval FTPDownload=if(like(_raw, "%FTPDownload%"), "Yes", "No")

In this case I want to check if the transaction itself contains FTPDownload, and set FTPDownload to Yes or No. I am at times getting both Yes and No, for the same job which does not change. Also for jobs I know and see there is an FTPDownload step, I am getting No back. Is _raw in this case only evaluating the first event in the transaction? Is there any issue with this approach I am overlooking? It seems like this should work but the results are not correct.

somesoni2 · ‎09-11-2019

Try this

| transaction unifyends=true JobID maxspan=12h | eval duration=round(duration/60, 2) | eval FTPDownload=if(match(_raw, "FTPDownload"), "Yes", "No")

OR

| eval FTPDownload=if(match(_raw, "FTPDownload"), "Yes", null()) | transaction unifyends=true JobID maxspan=12h | eval duration=round(duration/60, 2) | eval FTPDownload=coalesce(FTPDownload,"No")

View solution in original post

somesoni2 · ‎09-11-2019

Try this

| transaction unifyends=true JobID maxspan=12h | eval duration=round(duration/60, 2) | eval FTPDownload=if(match(_raw, "FTPDownload"), "Yes", "No")

OR

| eval FTPDownload=if(match(_raw, "FTPDownload"), "Yes", null()) | transaction unifyends=true JobID maxspan=12h | eval duration=round(duration/60, 2) | eval FTPDownload=coalesce(FTPDownload,"No")

aohls · ‎09-12-2019

@somesoni2 The first one worked great. I attempted to use match very quickly but must have mistyped something along the way.

Eval a transaction with conditional statement

Streamline Data Ingestion With Deployment Server Essentials

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...

Introduction to Splunk AI