Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

SPL

uagraw01
Motivator
‎12-10-2020 05:39 AM

How can i use multiple NOT condition in my second eval function. My attribute is there state_desc!="ONLINE" OR state_desc!="OFFLINE"

In above condition i always returned only first value not for the second one.

 

Is need to use LIKE , match or any other command because result is in string .please suggest

 

IMG_20201210_190356.jpg

0 Karma
Reply

nickhills
Ultra Champion
‎12-10-2020 08:07 AM

If I understand the question, I think the issue is that you are using ! which means "state_desc (IS NOT) = "ONLINE" in all of the case statements

try this, and see if it addresses your needs:

 

|eval short_description=case(short_desc="OFFLINE","system is offline", short_desc="SUSPECT","system is suspect", short_desc="Recovery pending", "system is recovering", 1=1, "System is Online")
|eval isAlert=if(short_desc!="ONLINE",1,0)

 

The fist eval populates "short_description" with a description of each state.

The second eval creates a new field called "isAlert". For any condition where the short_desc does not contain "ONLINE" it will return a 1, but for a normal online condition it will contain a 0  

If your aim is to fire an alert for an abnormal condition, you only need to worry about results in which isAlert=1, so adding

 

|search isAlert=1

 

at the end will only show you results which indicate the system was not reporting "ONLINE"

If my comment helps, please give it a thumbs up!
0 Karma
Reply

uagraw01
Motivator
‎12-10-2020 10:23 AM

@nickhills  Yes i am agree, because multiple NOT condition in case statement are causing issue and all the not condition are consider only !=ONLINE condition value and create only single value.

Let me try your suggested SPL, i will let you know if this work. 

0 Karma
Reply

to4kawa
Ultra Champion
‎12-10-2020 01:35 PM

| eval sample=if(match(state_desc,"(ON|OFF)LINE"),"nothing", "what you want")

0 Karma
Reply

uagraw01
Motivator
‎12-10-2020 01:42 PM

@to4kawa For multiple Not condition how match will work. Match command only work for true value. Please suggest when condition is not matched as suggested below.

0 Karma
Reply

to4kawa
Ultra Champion
‎12-11-2020 02:19 AM 
| makeresults
| eval Alpha=split("ABCDEFGHIJKLMNOPQRSTUVWXYZ","")
| mvexpand Alpha
| where NOT (Alpha="A" OR Alpha="C" OR Alpha="X" OR Alpha="Z")
0 Karma
Reply

nickhills
Ultra Champion
‎12-10-2020 05:52 AM

I'm not quite clear that I understand your issue.

Is there a reason you are using ! and CASE?

If there are only two options for the value of state_desc you could use "IF" and avoid the !

|eval state_description=if(state_desc="ONLINE", "system is online","system is offline")

 

If my comment helps, please give it a thumbs up!
Reply

uagraw01
Motivator
‎12-10-2020 06:31 AM

 

 For below requirement i am use the case statement with ! Condition. Please assist.

IMG_20201210_200002.jpg

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...