Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

SPL

uagraw01
Motivator
‎12-10-2020 05:39 AM

How can i use multiple NOT condition in my second eval function. My attribute is there state_desc!="ONLINE" OR state_desc!="OFFLINE"

In above condition i always returned only first value not for the second one.

 

Is need to use LIKE , match or any other command because result is in string .please suggest

 

IMG_20201210_190356.jpg

0 Karma
Reply

nickhills
Ultra Champion
‎12-10-2020 08:07 AM

If I understand the question, I think the issue is that you are using ! which means "state_desc (IS NOT) = "ONLINE" in all of the case statements

try this, and see if it addresses your needs:

 

|eval short_description=case(short_desc="OFFLINE","system is offline", short_desc="SUSPECT","system is suspect", short_desc="Recovery pending", "system is recovering", 1=1, "System is Online")
|eval isAlert=if(short_desc!="ONLINE",1,0)

 

The fist eval populates "short_description" with a description of each state.

The second eval creates a new field called "isAlert". For any condition where the short_desc does not contain "ONLINE" it will return a 1, but for a normal online condition it will contain a 0  

If your aim is to fire an alert for an abnormal condition, you only need to worry about results in which isAlert=1, so adding

 

|search isAlert=1

 

at the end will only show you results which indicate the system was not reporting "ONLINE"

If my comment helps, please give it a thumbs up!
0 Karma
Reply

uagraw01
Motivator
‎12-10-2020 10:23 AM

@nickhills  Yes i am agree, because multiple NOT condition in case statement are causing issue and all the not condition are consider only !=ONLINE condition value and create only single value.

Let me try your suggested SPL, i will let you know if this work. 

0 Karma
Reply

to4kawa
Ultra Champion
‎12-10-2020 01:35 PM

| eval sample=if(match(state_desc,"(ON|OFF)LINE"),"nothing", "what you want")

0 Karma
Reply

uagraw01
Motivator
‎12-10-2020 01:42 PM

@to4kawa For multiple Not condition how match will work. Match command only work for true value. Please suggest when condition is not matched as suggested below.

0 Karma
Reply

to4kawa
Ultra Champion
‎12-11-2020 02:19 AM 
| makeresults
| eval Alpha=split("ABCDEFGHIJKLMNOPQRSTUVWXYZ","")
| mvexpand Alpha
| where NOT (Alpha="A" OR Alpha="C" OR Alpha="X" OR Alpha="Z")
0 Karma
Reply

nickhills
Ultra Champion
‎12-10-2020 05:52 AM

I'm not quite clear that I understand your issue.

Is there a reason you are using ! and CASE?

If there are only two options for the value of state_desc you could use "IF" and avoid the !

|eval state_description=if(state_desc="ONLINE", "system is online","system is offline")

 

If my comment helps, please give it a thumbs up!
Reply

uagraw01
Motivator
‎12-10-2020 06:31 AM

 

 For below requirement i am use the case statement with ! Condition. Please assist.

IMG_20201210_200002.jpg

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...