Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

SPL

uagraw01
Builder
‎12-10-2020 05:39 AM

How can i use multiple NOT condition in my second eval function. My attribute is there state_desc!="ONLINE" OR state_desc!="OFFLINE"

In above condition i always returned only first value not for the second one.

 

Is need to use LIKE , match or any other command because result is in string .please suggest

 

IMG_20201210_190356.jpg

Labels (1)
Labels
0 Karma
Reply

nickhills
Ultra Champion
‎12-10-2020 08:07 AM

If I understand the question, I think the issue is that you are using ! which means "state_desc (IS NOT) = "ONLINE" in all of the case statements

try this, and see if it addresses your needs:

 

|eval short_description=case(short_desc="OFFLINE","system is offline", short_desc="SUSPECT","system is suspect", short_desc="Recovery pending", "system is recovering", 1=1, "System is Online")
|eval isAlert=if(short_desc!="ONLINE",1,0)

 

The fist eval populates "short_description" with a description of each state.

The second eval creates a new field called "isAlert". For any condition where the short_desc does not contain "ONLINE" it will return a 1, but for a normal online condition it will contain a 0  

If your aim is to fire an alert for an abnormal condition, you only need to worry about results in which isAlert=1, so adding

 

|search isAlert=1

 

at the end will only show you results which indicate the system was not reporting "ONLINE"

If my comment helps, please give it a thumbs up!
0 Karma
Reply

uagraw01
Builder
‎12-10-2020 10:23 AM

@nickhills  Yes i am agree, because multiple NOT condition in case statement are causing issue and all the not condition are consider only !=ONLINE condition value and create only single value.

Let me try your suggested SPL, i will let you know if this work. 

0 Karma
Reply

to4kawa
Ultra Champion
‎12-10-2020 01:35 PM

| eval sample=if(match(state_desc,"(ON|OFF)LINE"),"nothing", "what you want")

0 Karma
Reply

uagraw01
Builder
‎12-10-2020 01:42 PM

@to4kawa For multiple Not condition how match will work. Match command only work for true value. Please suggest when condition is not matched as suggested below.

0 Karma
Reply

to4kawa
Ultra Champion
‎12-11-2020 02:19 AM 
| makeresults
| eval Alpha=split("ABCDEFGHIJKLMNOPQRSTUVWXYZ","")
| mvexpand Alpha
| where NOT (Alpha="A" OR Alpha="C" OR Alpha="X" OR Alpha="Z")
0 Karma
Reply

nickhills
Ultra Champion
‎12-10-2020 05:52 AM

I'm not quite clear that I understand your issue.

Is there a reason you are using ! and CASE?

If there are only two options for the value of state_desc you could use "IF" and avoid the !

|eval state_description=if(state_desc="ONLINE", "system is online","system is offline")

 

If my comment helps, please give it a thumbs up!
Reply

uagraw01
Builder
‎12-10-2020 06:31 AM

 

 For below requirement i am use the case statement with ! Condition. Please assist.

IMG_20201210_200002.jpg

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...