Splunk Search

Eval a transaction with conditional statement

aohls
Contributor

I am using a transaction to group some jobs and get the timings. In doing so I want to check for certain steps, file download steps. I have the following.

| transaction unifyends=true JobID maxspan=12h
| eval duration=round(duration/60, 2)
| eval FTPDownload=if(like(_raw, "%FTPDownload%"), "Yes", "No")

In this case I want to check if the transaction itself contains FTPDownload, and set FTPDownload to Yes or No. I am at times getting both Yes and No, for the same job which does not change. Also for jobs I know and see there is an FTPDownload step, I am getting No back. Is _raw in this case only evaluating the first event in the transaction? Is there any issue with this approach I am overlooking? It seems like this should work but the results are not correct.

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Try this

| transaction unifyends=true JobID maxspan=12h | eval duration=round(duration/60, 2) | eval FTPDownload=if(match(_raw, "FTPDownload"), "Yes", "No")

OR

| eval FTPDownload=if(match(_raw, "FTPDownload"), "Yes", null()) | transaction unifyends=true JobID maxspan=12h | eval duration=round(duration/60, 2) | eval FTPDownload=coalesce(FTPDownload,"No")

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Try this

| transaction unifyends=true JobID maxspan=12h | eval duration=round(duration/60, 2) | eval FTPDownload=if(match(_raw, "FTPDownload"), "Yes", "No")

OR

| eval FTPDownload=if(match(_raw, "FTPDownload"), "Yes", null()) | transaction unifyends=true JobID maxspan=12h | eval duration=round(duration/60, 2) | eval FTPDownload=coalesce(FTPDownload,"No")

aohls
Contributor

@somesoni2 The first one worked great. I attempted to use match very quickly but must have mistyped something along the way.

0 Karma
Get Updates on the Splunk Community!

Streamline Data Ingestion With Deployment Server Essentials

REGISTER NOW!Every day the list of sources Admins are responsible for gets bigger and bigger, often making the ...

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...

REGISTER NOW!Join us for a Tech Talk around our latest release of Splunk Enterprise Security 7.2! We’ll walk ...

Introduction to Splunk AI

WATCH NOWHow are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. ...