This is the algorithm of my query. Could someone help me in constructing it.
If (A happens)
{
Then ( Execute B Query)
{
}
"Here A is a query like Host=A OR B, error_happened"
"B is a query like Host=A OR B, usage
Show in stats/chart, if 'apple' and 'error' found'
if 'orange' and 'error' found
if 'grape' and 'error 'found'"
Apple/Orange/Grape/Error/Error_happened are not Splunk fields they are just some string/keyword in events.
And B query should only execute if A query return any events/lines. If A query returns no events/lines then B shouldn't execute.
You could use a subsearch, and return null if your condition is unmet. Like this:
[search host=fruitbasket rotten
| stats count
| eval search=if(count>0,"bad AND (orange OR apple)",null)
| fields search
| format "" "" "" "" "" "" ]
Thanks , I was looking something exactly like this.. a subsearch kind of thing..
In #4 you have said "fieds search". What does this line do ?
And what about #5 | format "" "" <-- does it mean to format the output ?
Would this give the count (timechart) type stating how many events we had with( apple AND bad) & (Orange AND bad) ?
So this subsearch will return a value based on whether or not it discovers events that match host=fruitbasket rotten . If there are events it will return bad AND (orange OR apple)
. If there are no events it will return NOT OR ()
NOT OR ()
evaluates to null, so the outer search will return zero events. If you want a timechart as well, then throw a timechart command after the search like so
[search host=fruitbasket rotten
| stats count
| eval search=if(count>0,"bad AND (orange OR apple)",null)
| fields search
| format "" "" "" "" "" "" ]
| timechart count
For more information on wha the fields search
and format
mean have a look at the subsearch documentation http://docs.splunk.com/Documentation/Splunk/latest/Search/Aboutsubsearches
Also if this answers your question don't forget to mark the answer as accepted!
Cheers
The query runs without any error however It doesn't return any events. seems like it isn't finding the keywords error/orange/apple to search. I put double quote around it , but the expression gets malformed. This is to be noted that error/orange/apple are not splunk fields , but just some words found in events..
Which query returns no events? host=fruitbasket rotten
or bad AND (orange OR apple)
bad AND (orange OR apple)
I'm a bit confused - If you do a query for bad AND (orange OR apple)
on its own (without all the subsearch bit) do you get any results? If you get none then the problem is that you have no data, not that the search is being malformed.
If you think the eval is failing, try this on its own:
|makeresults
| eval search="bad AND (orange OR apple)"
| fields search
| format "" "" "" "" "" ""
That's what will get sent to the main search if your condition is true
[search host="RAone*.jxa.com" OR host="RATwo*.jxa.com" source="/apps/BSA/data/log/bolly-*" Rotten
| stats count
| eval search=if(count>0,""error" AND ("apple" OR "orange")",null) )
| fields search
| format "" "" "" "" "" ""
| timechart count ]
When I run the queried individually (with out nesting in subserach it gives results.
But when i run them together like above I get the error "Error in 'eval' command: The expression is malformed. Expected )."
Just so as you know, rotten;error;apple;orange etc..are words found in logs, they are not Splunk fields.
you have to use eval(if)
in conjunction with like()
on _raw data
Refer this link, you will get an idea.
http://docs.splunk.com/Documentation/Splunk/7.0.1/SearchReference/ConditionalFunctions#like.28TEXT.2...
let me know if it helps!
Could you give me a psuedo-query using eval(if) and like/_raw ; A skeleton model query to have an idea how it should be .
eval (Host=A OR B, usage
Show in stats/chart, if 'apple' and 'error' found'
if 'orange' and 'error' found
if 'grape' and 'error 'found'"
| stats count by usage) IF (Host=A OR B, "error_happened")
i.e. eval B IF (A happens).
Is this how it should be composed ?
I am not getting what do you want.
Can you please provide some sample input data and also tell us what output do you want?
Let me put it in another way,
If (Host = "fruitbasket" "rotten")
Then search ("apple" AND "bad") and ("orange" AND "bad")
and show it in some stats.
What I mean here is, if the initial search (Host = "fruitbasket" "rotten") returns any result then I want to search for events containing keywords ("apple" AND "bad") and ("orange" AND "bad")..etc.
Hope I am clear enough.