Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

New field with conditional value

owulz
Explorer
‎02-11-2021 10:48 PM

I have a dashboard panel with a table that show 3 fields, each of which contain numeric values.

A) "Backups started (count)"

B) "Backups completed successfully (count)"

C) "Backups failed (count)"

I want to create a 4th field (D) "Backups in-progress" that simply calculates B-A.

I already have the logic to change the color of (D) if it's less than (A).

Thanks

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎02-12-2021 12:05 AM

Thank you @owulz,

It is clear now. You can use the eval command to calculate a new field (You are very close)

| eval InProgress = Successful-Started
If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

Reply
Solved! Jump to solution

owulz
Explorer
‎03-22-2021 06:11 AM

Hi  -  I have an interestnig follow up..

The query section of code in my dashboard panel looks like this at the moment...

<query>
index=myindex sourcetype=bla:linux:syslog host="server.bla.COM" ABCEVENT
| stats
count(eval(searchmatch("BACKUP AND CPF1124"))) as "Started"
count(eval(searchmatch("BACKUP AND CPF1164 AND SUCCESS"))) as "Successful"
count(eval(searchmatch("BACKUP AND CPF1164 AND FAILURE"))) as "Failed"
| eval Running=if(Started-(Successful+Failed) &gt;= 0, Started-(Successful+Failed), 0)
| table Started, Running, Successful, Failed
</query>

The field Running is a calculated field which works, but not well as it relies on data that may notbe unreliable.

I want to replace the value that is displayed for field Running with something like the following (based on new data I send to splunk). Idea is to fetch only the last occurence of this event from the past 5 minutes. The event returned will essentially include a count value that I want to extra and use in my panel as a statistic.

index=myindex sourcetype=bla:linux:syslog host="server.bla.COM" ABCEVENT *NONSBS earliest=-5m | eventstats max(_time) as maxtime | where _time=maxtime

When I do above as a regular Splunk search, I get a single event returned which is perfect.

I already created a field extraction which always shows up as an available field in my search results. It's called Jobs_Running.

What I would like to do is to replace this ...

| eval Running=if(Started-(Successful+Failed) &gt;= 0, Started-(Successful+Failed), 0)

With something similar to the above search string, adapted to work within the existing panel, so that I can display the new value for "Running" along side the existing fields "Started", "Successful" and "Failed".

Is there a way to do this?

One thing I'm not sure about is whether I can pull in the already extracted field (Jobs_Running) that ia visible when I do a regular search or do I need to perform a field extraction on the fly?

The expression is: ^(?:[^ \n]* ){9}(?P<Jobs_Running>\d+)

 

Thanks

 

0 Karma
Reply
Solved! Jump to solution

scelikok
SplunkTrust
SplunkTrust
‎02-12-2021 03:39 AM

Hi @owulz,

I couldn't guess the error but below should work;

index=a0_designeng_generic_app_audit_prd sourcetype=cba:designeng:as400:syslog host="MIDINT01.CBA.COM.AU"
| stats
count(eval(searchmatch("BACKUP AND CPF1124"))) as "Started"
count(eval(searchmatch("BACKUP AND CPF1164 AND SUCCESS"))) as "Successful"
count(eval(searchmatch("BACKUP AND CPF1164 AND FAILURE"))) as "Failed"
| eval Running = Started-(Successful+Failed)
| eval Running = case(Running<0, 0,1=1,Running)
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Solved! Jump to solution

owulz
Explorer
‎02-12-2021 06:26 PM

I should have mentioned that first I used the last statement exactly as you suggested, but that too returned the same error "Unencoded <"

0 Karma
Reply
Solved! Jump to solution

owulz
Explorer
‎02-12-2021 06:06 PM

Hi again,

I think there may have been an error in this:

| eval Running = case(Running<0, 0,1=1,Running)

I didn't understand the part ...  ,1=1,

I am using below, but getting the error on the second statement: Error on line 434: Unencoded <

| eval Running = Started-(Successful+Failed)
| eval Running = case(Running<0, 0, Running >=0, Running)

Strange as the syntax appears to me to be the same as in the earlierexample (via link I posted).

Not sure why it doesn't like with the syntax I used.

0 Karma
Reply
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎02-12-2021 12:05 AM

Thank you @owulz,

It is clear now. You can use the eval command to calculate a new field (You are very close)

| eval InProgress = Successful-Started
If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply
Solved! Jump to solution

owulz
Explorer
‎02-12-2021 03:27 AM

Can I just ask a follow up?

My new field now works well. There are occasions where the value is <0. In such cases I want it to show 0. Any value 0 or above stays as is. I tried the following which is to create another field that checks the original newly created field and if <0, use 0 else use original value.

I get an error but not sure why. I had used a researched article.

index=a0_designeng_generic_app_audit_prd sourcetype=cba:designeng:as400:syslog host="MIDINT01.CBA.COM.AU"
| stats
count(eval(searchmatch("BACKUP AND CPF1124"))) as "Started"
count(eval(searchmatch("BACKUP AND CPF1164 AND SUCCESS"))) as "Successful"
count(eval(searchmatch("BACKUP AND CPF1164 AND FAILURE"))) as "Failed"
| eval running1 = Started-(Successful+Failed) | rename running as "Running1"
| eval running2 = case(Running1<0, 0, Running1>= 0, Running1) | rename running as "Running"

The last statement above is the one that the editor says has an error.

The original article link: https://docs.splunk.com/Documentation/SCS/current/SearchReference/ConditionalFunctions

Section Extended example.

Appreciate any help.

Thanks

0 Karma
Reply
Solved! Jump to solution

owulz
Explorer
‎02-12-2021 12:42 AM

That worked a treat @scelikok - thank you so much!

0 Karma
Reply
Solved! Jump to solution

owulz
Explorer
‎02-11-2021 11:50 PM

Hi scelikok, thanks for answering.

 

These are fields created as part of a query search within a table, so each field is a column with a single status result each, so I get 3 columns.

Started, Successful, Failed.

I'm trying to dynamically calculate a 4th field that I'll insert between Started and Successful, to say InProgress.

For those three fields, taking the example of the first, after the index... sourcetype... host.... I have | stats count(eval(searchmatch("search string"))) as "Started". There are three of these. I assumed I'd be able to append something like | eval diff(Successful-Started) as "InProgress"

0 Karma
Reply
Solved! Jump to solution

scelikok
SplunkTrust
SplunkTrust
‎02-11-2021 11:38 PM

Hi @owulz,

Are these fields in table columns or rows? Solution would be different. If you can share your current SPL of that creates that table, we can provide solution easier.

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Top