Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Eval multiple services in single query

cdevoe57
Explorer
‎07-24-2025 05:52 AM

I am attempting to run a query that will find the status fo 3 services and list which ones are failed and which ones are running.  I only want to display the host that failed and the statuses of those services.   The end goal is to create an alert.  

The following query produces no results


index="server" host="*"  source="Unix:Service"  

| eval IPTABLES = if(UNIT=iptables.service AND (ACTIVE="failed" OR ACTIVE="inactive"), "failed", "OK") 

| eval AUDITD = if(UNIT=auditd.service AND (ACTIVE="failed" OR ACTIVE="inactive"), "failed", "OK") 

| eval CHRONYD = if(UNIT=chronyd.service AND (ACTIVE="failed" OR ACTIVE="inactive"), "failed", "OK")

| dedup host 

| table host IPTABLES AUDITD CHRONYD

This query works

index="server" host="*"  source="Unix:Service"  UNIT=iptables.service 

| eval IPTABLES = if(ACTIVE="failed" OR ACTIVE="inactive", "failed", "OK") 

| dedup host 

| table host IPTABLES


How can I get the query to produce the following results

host         IPTABLES       AUDITD    CHRONYD
server1       failed                OK                OK

Labels (2)
Labels
0 Karma
Reply

PrewinThomas
Motivator
‎07-24-2025 10:02 PM

@cdevoe57 
Try below,

index="server" source="Unix:Service" UNIT IN ("iptables.service", "auditd.service", "chronyd.service")
| eval status=if(ACTIVE=="failed" OR ACTIVE=="inactive", "failed", "OK")
| eval service=case(
    UNIT=="iptables.service", "IPTABLES",
    UNIT=="auditd.service", "AUDITD",
    UNIT=="chronyd.service", "CHRONYD"
)
| stats values(status) as status by host service
| xyseries host service status
| where IPTABLES="failed" OR AUDITD="failed" OR CHRONYD="failed"
| table host IPTABLES AUDITD CHRONYD

demo1_1.JPG


Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎07-24-2025 04:41 PM

This syntax is wrong and will never work

| eval IPTABLES = if(UNIT=iptables.service AND (ACTIVE="failed" OR ACTIVE="inactive"), "failed", "OK")

UNIT is a string, so must be quoted as you have done for the ACTIVE field.

| eval IPTABLES = if(UNIT="iptables.service" AND (ACTIVE="failed" OR ACTIVE="inactive"), "failed", "OK")

You probably want to use 

| fields _time host IPTABLES AUDITD CHRONYD
| stats latest(*) as * by host

to get you the most recent state

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-24-2025 07:49 AM

1. The host=* condition is completely unnecessary. It doesn't narrow your search and every event must have the host field. It's a purely aesthetic remark but bloating the search makes it less readable.

2. The dedup command works differently than I suppose you think it does. After "dedup host" you will be left with just one event containing data for the first service returned by the initial search. All subsequent services for this host will be discarded. I don't think it's what you want.

Reply

cdevoe57
Explorer
‎07-24-2025 07:56 AM

Excellent Point.   Sadly, I knew that....   Must have been a brain cramp

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-24-2025 06:22 AM

It depends on your actual data. Please share some sample representative events.

0 Karma
Reply

cdevoe57
Explorer
‎07-24-2025 06:43 AM

It is from the TA Nix addon

cdevoe57_0-1753364611642.png

 

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎07-24-2025 06:18 AM

Hi @cdevoe57 

Does this bit on its own work?

index="server" host="*"  source="Unix:Service"  UNIT=iptables.service

If not how about

index="server" host="*"  source="Unix:Service"  UNIT="iptables.service"

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

cdevoe57
Explorer
‎07-24-2025 06:44 AM

Yes, this works

index="server" host="*"  source="Unix:Service"  UNIT=iptables.service 

| eval IPTABLES = if(ACTIVE="failed" OR ACTIVE="inactive", "failed", "OK") 

| dedup host 

| table host IPTABLES

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Enhance Security Operations with Automated Threat Analysis in the Splunk EcosystemAre you leveraging ...

What Is Splunk? Here’s What You Can Do with Splunk

Hey Splunk Community, we know you know Splunk. You likely leverage its unparalleled ability to ingest, index, ...

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...