Re: String validation in chart eval

marellasunil · ‎04-09-2013

For another query where I have to use not equal to in a query for string, even not equal to is not working properly in eval There are 10 services with Success and failures, Consider as A, B ...J, for one service say B there is an error code 102, 103 & 104 (It is an error). If errorcode is 102 I want to add it to success so I used the query

.. | chart count(eval(Status="Success" OR ServiceName="B" AND ErrorCode=102)) as "Success", count(eval(Status="Error" OR ServiceNameLookup="B" AND ErrorCode!=102)) as "Fail" by ServiceName

This query counting 102 for both sucess & falures.

Any suggetions for both please

kristian_kolb · ‎04-10-2013

UPDATE (or rather a complete rewrite)

It's too late in this TZ to do any clever thinking. Forget the previous attempt, and do like this instead;

... | eval NewStat = if(errorcode=="102" AND service=="B", "success", status) | ...

This creates a temporary variable called NewStat in each event, which will be set to 'success' if the errorcode=102 and the service=B, for all other events it will just copy the value of 'status'.

Then you can use NewStat for any further reporting, such as;

... | chart c over service by NewStat

Hope this helps,

Kristian

kristian_kolb · ‎04-15-2013

see update above. tested and working. /k

marellasunil · ‎04-10-2013

Sorry, Kristian. That did't work. 😞 tried in several ways

String validation in chart eval

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases