Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk search eval or other command

Harikiranjammul
Explorer
a month ago

Have events like below

1) date-Timestamp

Server - hostname

Status - host is down

Threshold - unable to ping

 

2) 

Date-Timestamp

Db - dbname

Status- database is down

Instance status- DB instance is not available 

 

I would need to write Eval condition and create new field description that if field status is " database is down" , I need to add date, dB, status, Instances status fields to description field

 

And if status is host down, need to add date,server, status, threshold to description field.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
a month ago 
| eval description=case(Status="host is down",Date.",".Server.",".Status.",".Threshold,Status="database is down",Date.",".Db.",".Status.",".'Instance status')

View solution in original post

Reply
Solved! Jump to solution

livehybrid
Super Champion
a month ago

Hi @Harikiranjammul 

Use an eval statement with a conditional to build the description field based on the value of status.

|makeresults | eval Server="host1", Status="host is down", Threshold="unable to ping"
| append [| makeresults | eval Db="db1", Status="database is down", Instance_status="DB instance is not available"]
| eval date=strftime(_time, "%d/%m/%Y %H:%M:%S")
| eval description=case(
Status=="database is down", "date=" . date . " Db=" . Db . " Status=" . Status . " Instance_status=" . Instance_status,
Status=="host is down", "date=" . date . " Server=" . Server . " Status=" . Status . " Threshold=" . Threshold
)

 

This SPL checks the Status field and constructs the description field by concatenating the relevant fields for each case.

Ensure your field names match exactly (case-sensitive) and are extracted correctly before using this logic.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

 

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
a month ago 
| eval description=case(Status="host is down",Date.",".Server.",".Status.",".Threshold,Status="database is down",Date.",".Db.",".Status.",".'Instance status')
Reply
Solved! Jump to solution

Harikiranjammul
Explorer
a month ago

Thank you

How can I use eval like here?

I mean here status field contains someother text before and after the 'Host is down' and 'database is down' values and it varies every event.

just wanted to put status=like(*host is down*)

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
a month ago 
| eval description=case(like(Status,"%host is down%"),Date.",".Server.",".Status.",".Threshold,like(Status,"%database is down%"),Date.",".Db.",".Status.",".'Instance status')
0 Karma
Reply
Solved! Jump to solution

livehybrid
Super Champion
a month ago

Hi @Harikiranjammul 

If you can, restrict the first part of the search by adding

(Status="*host is down* OR Status="*Some other criteria*")

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Top