Loop through event message

gurkiratsingh · ‎04-13-2020

Hi I want to compare a date time value with many entities in my message. I have an eval(IST_time_latest) with the value 2020-04-13 00:00:00 and I want to check whether this eval is equal to all the datetimes in (message.abc.cat, message.abc.dog, message.abc.man, message.abc. hello)

The event message is like this:-
{
message: { [-]
abc: { [-]
cat: 2020-04-13 00:00:00
dog: 2020-04-13 00:00:00
man: 2020-04-13 00:00:00
hello: 2020-04-13 00:00:00
} } }

| eval flag_cat=if( (IST_time_latest=='message.abc.cat') ,"TRUE","FALSE")
| eval flag_dog=if( (IST_time_latest=='message.abc.dog') ,"TRUE","FALSE")
|table flag_cat, flag_dog

So there are 50+ entities like this in the messages and I do not want to create a flag like this for all of them. Can you please suggest an alternative??

to4kawa · ‎04-13-2020

....
| spath path=message{}.abc{} output=message
| stats values(IST_time_latest) as IST_time_latest by message
| spant input=message
| fields - message  _*
| eval flag_cat=if(IST_time_latest==cat ,"TRUE","FALSE")

How's this?

gurkiratsingh · ‎04-13-2020

Hi this is extracting all the 50+ dates correctly but can you also tell me where to put the compare sort of thing to get true or false for all. I have to compare with (IST_time_latest)
example: | eval flag_cat=if( (IST_time_latest=='message.abc.cat') ,"TRUE","FALSE")

to4kawa · ‎04-13-2020

I see, my answer is updated

Loop through event message

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases

Are you a member of the Splunk Community?

Loop through event message

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases