Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit the eval syntax in my search to assign a value based on the result of a subsearch?

antoniofacchi
New Member
‎12-13-2016 07:47 AM

Hi,

I'm working with Nagios events, with field "current_state" equal 2, Nagios is indicating a critical situation. The events with "current_state=2" are very few. My following search works fine if "current_state=2" events are found, but if they aren't found I get the error:
Error in 'eval' command: The expression is malformed. An unexpected character is reached at ',0)'.

index=app_nagios sourcetype=ydms_status   earliest=-0mon@mon SERVICESTATEID:sasv03qb:
 | eventstats earliest(_time) as start_period latest(_time) as end_period                    
 | eval duration_period=end_period - start_period
 |eval end_incident=if(current_state = 2,[search index=app_nagios sourcetype=ydms_status  earliest=-0mon@mon SERVICESTATEID:sasv03qb: | search current_state=2         
| sort - _time | head 1 | eval end_incident=strptime(last_time_critical,"%Y-%m-%d %H:%M:%S") |return $end_incident],0)|eval start_incident=if(current_state = 2,[search index=app_nagios sourcetype=ydms_status  earliest=-0mon@mon SERVICESTATEID:sasv03qb: | search current_state=2         
| sort - _time | head 1 | eval start_incident=strptime(last_time_ok,"%Y-%m-%d %H:%M:%S") |return $start_incident],0)

What I want to do, if there aren't "current_state=2" events, is to set at 0 the fields start_incident and end_incident.

Many thanks
Antonio

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎12-13-2016 08:06 AM

Give this a try

index=app_nagios sourcetype=ydms_status   earliest=-0mon@mon SERVICESTATEID:sasv03qb:
  | eventstats earliest(_time) as start_period latest(_time) as end_period                    
  | eval duration_period=end_period - start_period
  |eval end_incident=if(current_state = 2,[search index=app_nagios sourcetype=ydms_status  earliest=-0mon@mon SERVICESTATEID:sasv03qb: | search current_state=2         
 | sort - _time | head 1 | eval end_incident=strptime(last_time_critical,"%Y-%m-%d %H:%M:%S") | appendpipe[| stats count as end_incident | where end_incident=0]|return $end_incident],0)|eval start_incident=if(current_state = 2,[search index=app_nagios sourcetype=ydms_status  earliest=-0mon@mon SERVICESTATEID:sasv03qb: | search current_state=2         
 | sort - _time | head 1 | eval start_incident=strptime(last_time_ok,"%Y-%m-%d %H:%M:%S") | appendpipe[| stats count as end_incident | where end_incident=0]|return $start_incident],0)

Update

There were couple of typos as well in my previous attempt. Try this one

index=app_nagios sourcetype=ydms_status   earliest=-0mon@mon SERVICESTATEID:sasv03qb:
   | eventstats earliest(_time) as start_period latest(_time) as end_period                    
   | eval duration_period=end_period - start_period
   |eval end_incident=if(current_state = 2,[search index=app_nagios sourcetype=ydms_status  earliest=-0mon@mon SERVICESTATEID:sasv03qb: current_state=2 | stats count latest(last_time_critical) as  last_time_critical | eval end_incident=if(isnull(last_time_critical),0,strptime(last_time_critical,"%Y-%m-%d %H:%M:%S"))|return $end_incident],0)|eval start_incident=if(current_state = 2,[search index=app_nagios sourcetype=ydms_status  earliest=-0mon@mon SERVICESTATEID:sasv03qb: current_state=2 | stats count latest(last_time_ok) as  last_time_ok | eval start_incident=if(isnull(last_time_ok),0,strptime(last_time_ok,"%Y-%m-%d %H:%M:%S"))|return $start_incident],0)

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎12-13-2016 08:06 AM

Give this a try

index=app_nagios sourcetype=ydms_status   earliest=-0mon@mon SERVICESTATEID:sasv03qb:
  | eventstats earliest(_time) as start_period latest(_time) as end_period                    
  | eval duration_period=end_period - start_period
  |eval end_incident=if(current_state = 2,[search index=app_nagios sourcetype=ydms_status  earliest=-0mon@mon SERVICESTATEID:sasv03qb: | search current_state=2         
 | sort - _time | head 1 | eval end_incident=strptime(last_time_critical,"%Y-%m-%d %H:%M:%S") | appendpipe[| stats count as end_incident | where end_incident=0]|return $end_incident],0)|eval start_incident=if(current_state = 2,[search index=app_nagios sourcetype=ydms_status  earliest=-0mon@mon SERVICESTATEID:sasv03qb: | search current_state=2         
 | sort - _time | head 1 | eval start_incident=strptime(last_time_ok,"%Y-%m-%d %H:%M:%S") | appendpipe[| stats count as end_incident | where end_incident=0]|return $start_incident],0)

Update

There were couple of typos as well in my previous attempt. Try this one

index=app_nagios sourcetype=ydms_status   earliest=-0mon@mon SERVICESTATEID:sasv03qb:
   | eventstats earliest(_time) as start_period latest(_time) as end_period                    
   | eval duration_period=end_period - start_period
   |eval end_incident=if(current_state = 2,[search index=app_nagios sourcetype=ydms_status  earliest=-0mon@mon SERVICESTATEID:sasv03qb: current_state=2 | stats count latest(last_time_critical) as  last_time_critical | eval end_incident=if(isnull(last_time_critical),0,strptime(last_time_critical,"%Y-%m-%d %H:%M:%S"))|return $end_incident],0)|eval start_incident=if(current_state = 2,[search index=app_nagios sourcetype=ydms_status  earliest=-0mon@mon SERVICESTATEID:sasv03qb: current_state=2 | stats count latest(last_time_ok) as  last_time_ok | eval start_incident=if(isnull(last_time_ok),0,strptime(last_time_ok,"%Y-%m-%d %H:%M:%S"))|return $start_incident],0)
0 Karma
Reply
Solved! Jump to solution

antoniofacchi
New Member
‎12-14-2016 12:37 AM

Hi someone2,

it works very well!!!!

Thank you very much for your great support.

Regards
Antonio

0 Karma
Reply
Solved! Jump to solution

antoniofacchi
New Member
‎12-14-2016 06:02 AM

Hi somesoni2,

I did two change at your search and it works very well!!!
Excuse me could you explain me the meaning of your:
appendpipe[| stats count as **start_incident* | where start_incident=0]*

Thank you very much for your great support!!!!
Antonio

index=app_nagios sourcetype=ydms_status   earliest=-0mon@mon SERVICESTATEID:sasv03qb:
   | eventstats earliest(_time) as start_period latest(_time) as end_period                    
   | eval duration_period=end_period - start_period
   |eval end_incident=if(current_state = 2,[search index=app_nagios sourcetype=ydms_status  earliest=-0mon@mon SERVICESTATEID:sasv03qb: | search current_state=2         
  | sort - _time | head 1 | eval end_incident=strptime(last_time_critical,"%Y-%m-%d %H:%M:%S") | appendpipe[| stats count as end_incident | where end_incident=0]|return $end_incident],0)|eval start_incident=if(current_state = 2,[search index=app_nagios sourcetype=ydms_status  earliest=-0mon@mon SERVICESTATEID:sasv03qb: | search current_state=2         
  | sort - _time | head 1 | eval start_incident=strptime(last_time_ok,"%Y-%m-%d %H:%M:%S") | appendpipe[| stats count as **start_incident** | where **start_incident**=0]|return $start_incident],0)
0 Karma
Reply
Solved! Jump to solution

aaraneta_splunk
Splunk Employee
Splunk Employee
‎12-15-2016 09:09 PM

@antoniofacchi - Did the answer provided by somesoni2 help provide a working solution to your question? If yes, please don't forget to resolve this post by clicking "Accept" below his answer.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎12-14-2016 09:12 AM

The | stats count as start_incident in the appendpipe will return value 0 if there are no rows are available before that. In that case, since there are no rows before that, we'll keep the row returned by stats (thats why we've | where start_incident=0). The result of appendpipe-stats will not be used if there are rows available before that.

0 Karma
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...