Splunk Search

Splunk search eval or other command

Harikiranjammul
Explorer

Have events like below

1) date-Timestamp

Server - hostname

Status - host is down

Threshold - unable to ping

 

2) 

Date-Timestamp

Db - dbname

Status- database is down

Instance status- DB instance is not available 

 

I would need to write Eval condition and create new field description that if field status is " database is down" , I need to add date, dB, status, Instances status fields to description field

 

And if status is host down, need to add date,server, status, threshold to description field.

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| eval description=case(Status="host is down",Date.",".Server.",".Status.",".Threshold,Status="database is down",Date.",".Db.",".Status.",".'Instance status')

View solution in original post

livehybrid
Super Champion

Hi @Harikiranjammul 

Use an eval statement with a conditional to build the description field based on the value of status.

|makeresults | eval Server="host1", Status="host is down", Threshold="unable to ping"
| append [| makeresults | eval Db="db1", Status="database is down", Instance_status="DB instance is not available"]
| eval date=strftime(_time, "%d/%m/%Y %H:%M:%S")
| eval description=case(
Status=="database is down", "date=" . date . " Db=" . Db . " Status=" . Status . " Instance_status=" . Instance_status,
Status=="host is down", "date=" . date . " Server=" . Server . " Status=" . Status . " Threshold=" . Threshold
)

 

This SPL checks the Status field and constructs the description field by concatenating the relevant fields for each case.

Ensure your field names match exactly (case-sensitive) and are extracted correctly before using this logic.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

 

ITWhisperer
SplunkTrust
SplunkTrust
| eval description=case(Status="host is down",Date.",".Server.",".Status.",".Threshold,Status="database is down",Date.",".Db.",".Status.",".'Instance status')

Harikiranjammul
Explorer

Thank you

How can I use eval like here?

I mean here status field contains someother text before and after the 'Host is down' and 'database is down' values and it varies every event.

just wanted to put status=like(*host is down*)

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| eval description=case(like(Status,"%host is down%"),Date.",".Server.",".Status.",".Threshold,like(Status,"%database is down%"),Date.",".Db.",".Status.",".'Instance status')
0 Karma

livehybrid
Super Champion

Hi @Harikiranjammul 

If you can, restrict the first part of the search by adding

(Status="*host is down* OR Status="*Some other criteria*")

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...