Splunk Search

Implementing condition in search

Communicator

This is the algorithm of my query. Could someone help me in constructing it.

If (A happens)
{
Then ( Execute B Query)
{
}

"Here A is a query like Host=A OR B, error_happened"
"B is a query like Host=A OR B, usage
Show in stats/chart, if 'apple' and 'error' found'
if 'orange' and 'error' found
if 'grape' and 'error 'found'"
Apple/Orange/Grape/Error/Error_happened are not Splunk fields they are just some string/keyword in events.
And B query should only execute if A query return any events/lines. If A query returns no events/lines then B shouldn't execute.

0 Karma

Influencer

You could use a subsearch, and return null if your condition is unmet. Like this:

[search host=fruitbasket rotten  
| stats count 
| eval search=if(count>0,"bad AND (orange OR apple)",null) 
| fields search 
| format "" "" "" "" "" "" ]
0 Karma

Communicator

Thanks , I was looking something exactly like this.. a subsearch kind of thing..

In #4 you have said "fieds search". What does this line do ?
And what about #5 | format "" "" <-- does it mean to format the output ?

Would this give the count (timechart) type stating how many events we had with( apple AND bad) & (Orange AND bad) ?

0 Karma

Influencer

So this subsearch will return a value based on whether or not it discovers events that match host=fruitbasket rotten . If there are events it will return bad AND (orange OR apple). If there are no events it will return NOT OR ()

NOT OR () evaluates to null, so the outer search will return zero events. If you want a timechart as well, then throw a timechart command after the search like so

[search host=fruitbasket rotten  
| stats count 
| eval search=if(count>0,"bad AND (orange OR apple)",null) 
| fields search 
| format "" "" "" "" "" "" ]
| timechart count

For more information on wha the fields search and format mean have a look at the subsearch documentation http://docs.splunk.com/Documentation/Splunk/latest/Search/Aboutsubsearches

0 Karma

Influencer

Also if this answers your question don't forget to mark the answer as accepted!

Cheers

0 Karma

Communicator

The query runs without any error however It doesn't return any events. seems like it isn't finding the keywords error/orange/apple to search. I put double quote around it , but the expression gets malformed. This is to be noted that error/orange/apple are not splunk fields , but just some words found in events..

0 Karma

Influencer

Which query returns no events? host=fruitbasket rotten or bad AND (orange OR apple)

0 Karma

Communicator

bad AND (orange OR apple)

0 Karma

Influencer

I'm a bit confused - If you do a query for bad AND (orange OR apple) on its own (without all the subsearch bit) do you get any results? If you get none then the problem is that you have no data, not that the search is being malformed.

If you think the eval is failing, try this on its own:

|makeresults
| eval search="bad AND (orange OR apple)"
| fields search 
| format "" "" "" "" "" ""

That's what will get sent to the main search if your condition is true

0 Karma

Communicator

[search host="RAone*.jxa.com" OR host="RATwo*.jxa.com" source="/apps/BSA/data/log/bolly-*" Rotten
| stats count
| eval search=if(count>0,""error" AND ("apple" OR "orange")",null) )
| fields search
| format "" "" "" "" "" ""
| timechart count ]

When I run the queried individually (with out nesting in subserach it gives results.
But when i run them together like above I get the error "Error in 'eval' command: The expression is malformed. Expected )."

Just so as you know, rotten;error;apple;orange etc..are words found in logs, they are not Splunk fields.

0 Karma

SplunkTrust
SplunkTrust

you have to use eval(if) in conjunction with like() on _raw data

Refer this link, you will get an idea.
http://docs.splunk.com/Documentation/Splunk/7.0.1/SearchReference/ConditionalFunctions#like.28TEXT.2...

let me know if it helps!

0 Karma

Communicator

Could you give me a psuedo-query using eval(if) and like/_raw ; A skeleton model query to have an idea how it should be .

0 Karma

Communicator

eval (Host=A OR B, usage
Show in stats/chart, if 'apple' and 'error' found'
if 'orange' and 'error' found
if 'grape' and 'error 'found'"
| stats count by usage) IF (Host=A OR B, "error_happened")

i.e. eval B IF (A happens).

Is this how it should be composed ?

0 Karma

SplunkTrust
SplunkTrust

I am not getting what do you want.
Can you please provide some sample input data and also tell us what output do you want?

0 Karma

Communicator

Let me put it in another way,

If (Host = "fruitbasket" "rotten")
Then search ("apple" AND "bad") and ("orange" AND "bad")
and show it in some stats.

What I mean here is, if the initial search (Host = "fruitbasket" "rotten") returns any result then I want to search for events containing keywords ("apple" AND "bad") and ("orange" AND "bad")..etc.

Hope I am clear enough.

0 Karma