Splunk Search
Highlighted

How do you assign a value to a field if it is missing the event?

Builder

I have the sample data which has all the fields like below

[11/07/2018 09:59:00]      CAUAJM_I_40245 EVENT: ALARM            ALARM: JOBFAILURE       JOB: HYGIEIA_EC2_LOAD_ROOT **MACHINE: hexx.com** EXITCODE:  110

The below is the event with machine field missing

[11/07/2018 09:17:13]      CAUAJM_I_40245 EVENT: ALARM            ALARM: JOBFAILURE       JOB: FADB_OUT_CROSSINVEST_PFX_BOX EXITCODE:  9

Below is the search I am using

index=abc |rex field=_raw "MACHINE\:\s(?[^ ]+).*" 
| eval time=strftime(_time,"%Y/%m/%d %H:%M:%S") 
| eval node=host 
| eval resource="Auto" 
| eval type="Alarm" 
| eval severity=1 
| eval Machine_Name=case(isnull(Machine_Name),"NONE",isnotnull(Machine_Name),Machine_Name,1=1,"unknown")
| eval description="CAUAJM:" .CAUAJM ." STATUS:" . STAT . " JOB:" . JOB_Name . " MACHINE:" .Machine_Name. " with ExitCode:" .EXITCODE. " at:" . time . " Environment:AWP" 
| table node resource type severity CAUAJM job_event JOB_Name Machine_Name time description

The description part shows blank for the second event as there is no machine in it. How can I populate that so that the description part is not empty? I have attached a screen shot for better understanding

alt text

Thanks,

0 Karma
Highlighted

Re: How do you assign a value to a field if it is missing the event?

Contributor

Hi,

I think we can use an if to fill your description field like that :

index=abc 
|rex field=_raw "MACHINE\:\s(?[^ ]+).*" 
| eval time = strftime(_time,"%Y/%m/%d %H:%M:%S") ,
           node = host ,
           resource = "Auto" ,
           type = "Alarm" ,
           severity = 1,
           Machine_Name = case(isnull(Machine_Name),"NONE",isnotnull(Machine_Name),Machine_Name,1=1,"unknown"),
           description = if(isnull(Machine_Name),"Write your comment here","CAUAJM:" .CAUAJM ." STATUS:" . STAT . " JOB:" . JOB_Name . " MACHINE:" .Machine_Name. " with ExitCode:" .EXITCODE. " at:" . time . " Environment:AWP" )
| table node resource type severity CAUAJM job_event JOB_Name Machine_Name time description

I think that should do the trick 🙂

Let me know
KailA

0 Karma
Highlighted

Re: How do you assign a value to a field if it is missing the event?

Builder

Hello Kaila,

Thank you for your comment.I tried your search but the description just had the machine name that I gave.
Below is how the description looks for other events

CAUAJM:CAUAJMI40245 STATUS:JOBFAILURE JOB:GPWAFFPFX_DL MACHINE:GPWSYS.com with ExitCode:1 at:2018/11/08 08:04:05 Environment:AWP

but the one which I tried using yiur query just gives me the machine name but not the entire description

0 Karma
Highlighted

Re: How do you assign a value to a field if it is missing the event?

Contributor

Thats strange, I've just copy/paste you eval for description and add an if() in it.
But I think I understand what you wanted to do now, try that :

index=abc 
 |rex field=_raw "MACHINE\:\s(?[^ ]+).*" 
 | eval time = strftime(_time,"%Y/%m/%d %H:%M:%S") ,
            node = host ,
            resource = "Auto" ,
            type = "Alarm" ,
            severity = 1,
            Machine_Name = case(isnull(Machine_Name),"NONE",isnotnull(Machine_Name),Machine_Name,1=1,"unknown"),
            description = if(isnull(Machine_Name),"CAUAJM:" .CAUAJM ." STATUS:" . STAT . " JOB:" . JOB_Name . " MACHINE:No Machine" . " with ExitCode:" .EXITCODE. " at:" . time . " Environment:AWP","CAUAJM:" .CAUAJM ." STATUS:" . STAT . " JOB:" . JOB_Name . " MACHINE:" .Machine_Name. " with ExitCode:" .EXITCODE. " at:" . time . " Environment:AWP" )
 | table node resource type severity CAUAJM job_event JOB_Name Machine_Name time description

Let me explain : if your Machine_name field is null, it will return the descrption with MACHINE:No Machine (put whatever you want here), if not, it should return the full description.

0 Karma
Highlighted

Re: How do you assign a value to a field if it is missing the event?

Builder

If it is null then the description should be like below

CAUAJM:CAUAJMI40245 STATUS:JOBFAILURE JOB:GPWAFFPFXDL MACHINE:nomachine with ExitCode:1 at:2018/11/08 08:04:05 Environment:AWP

0 Karma
Highlighted

Re: How do you assign a value to a field if it is missing the event?

Contributor

Ok but with the snippet of code I give it didn't return you

CAUAJM:CAUAJMI40245 STATUS:JOBFAILURE JOB:GPWAFFPFX_DL MACHINE:No Machine with ExitCode:1 at:2018/11/08 08:04:05 Environment:AWP
??

0 Karma
Highlighted

Re: How do you assign a value to a field if it is missing the event?

Builder

nope it did not return

0 Karma
Highlighted

Re: How do you assign a value to a field if it is missing the event?

Contributor

Ohhhhhh wait i'm so sorry, didn't saw that you forgot to give a name to your field in rex
I think that should work

 index=abc 
|rex field=_raw "MACHINE\:\s(?<Machine_Name>[^ ]+).*" 
| eval time = strftime(_time,"%Y/%m/%d %H:%M:%S") ,
                        node = host ,
                        resource = "Auto" ,
                        type = "Alarm" ,
                        severity = 1,
                        Machine_Name = if(isnull(Machinecase),"no_machine",Machine_Name),
                        description = "CAUAJM:" .CAUAJM ." STATUS:" . STAT . " JOB:" . JOB_Name . " MACHINE:" .Machine_Name. " with ExitCode:" .EXITCODE. " at:" . time . " Environment:AWP" )
  | table node resource type severity CAUAJM job_event JOB_Name Machine_Name time description

Hope it will work now...
KailA

0 Karma