Solved: Service maintenance in search

niemi_splunk · ‎10-21-2024

Hi,

I am a rookie in SPL and I have this general correlation search for application events:

index="foo" sourcetype="bar" (fields.A="something" "fields.B"="something else")

If this was a application specific search I could just specify the service in the search. But what I want to achieve is to use a service id from event rather than a fixed value to suppress results for that specific service. If I append
| `filter_maintenance_services("e5095542-9132-402f-8f17-242b83710b66")` to the search it works but if I use the event data service id it does not. Ex.
| `filter_maintenance_services($fields.ServiceID$)`

I suspect that it has to do with fields.ServiceID not being populated when the filter is deployed. How can get this to work?

niemi_splunk

Thanks Yuanliu.

I ended up using some of the macro in my search and it works:

| eval service_ids = $fields.ServiceID$
| eval maintenance_object_type = "service", maintenance_object_key = service_ids
| lookup operative_maintenance_log maintenance_object_type, maintenance_object_key OUTPUT _key as maintenance_log_key
| eval in_maintenance = if(IsNull(maintenance_log_key), 0, 1)
| fields - maintenance_object_key, maintenance_object_type, maintenance_log_key
| where IsNull(in_maintenance) OR (in_maintenance != 1)
| fields - in_maintenance
| mvcombine service_ids
| fields - service_ids

I tried a lot of variants for your suggestion to use the macro but didn't find any that worked

View solution in original post

yuanliu

Let's first clarify your use case. Your attempted code suggests two implications:

You are trying to substitute parameter in a macro filter_maintenance_services(1); and
You are using this in a dashboard or a map command, where $fields.ServiceID$ dereferences into a service ID such as e5095542-9132-402f-8f17-242b83710b66.

Are these correct?

It seems that you run into a quirk in that macro. It is written such that quotation marks are required to invoke it properly. (I've written a macro that behaves this way and it took me a while to realize this requirement.) Try

| `filter_maintenance_services("\"$fields.ServiceID$\"")`

or some variant of this.

niemi_splunk

Thanks Yuanliu.

I ended up using some of the macro in my search and it works:

| eval service_ids = $fields.ServiceID$
| eval maintenance_object_type = "service", maintenance_object_key = service_ids
| lookup operative_maintenance_log maintenance_object_type, maintenance_object_key OUTPUT _key as maintenance_log_key
| eval in_maintenance = if(IsNull(maintenance_log_key), 0, 1)
| fields - maintenance_object_key, maintenance_object_type, maintenance_log_key
| where IsNull(in_maintenance) OR (in_maintenance != 1)
| fields - in_maintenance
| mvcombine service_ids
| fields - service_ids

I tried a lot of variants for your suggestion to use the macro but didn't find any that worked

richgalloway · ‎10-21-2024

To refer to a field in an event, use single quotes around the field name. Dollar signs refer to tokens, which are not part of an event.

| `filter_maintenance_services('fields.ServiceID')`

---
If this reply helps you, Karma would be appreciated.

niemi_splunk · ‎10-21-2024

Thanks, but I already tried that and does not work.

Service maintenance in search

other

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)