Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Where function not calculating fields as expected

cshadduck
Explorer
‎08-12-2019 02:19 PM

I have a basic search to identify systems that have not checked into a service for X amount of time. There is nothing fancy about the search but I must be missing something simple because when I use the where function to compare two fields I get no results. I am searching a list of hostnames, setting a threshold to compare against, and trying to display only events that are older than the set threshold:

index=main sourcetype="app:agent" hostname IN (host1 host2 host3)
| eval hostname=upper(hostname)
| eval threshold=now()-30
| stats latest(_time) as LastCheckin values(threshold) by computer_name
| where LastCheckin<threshold
| eval LastCheckin=strftime(LastCheckin,"%m-%d-%Y %H:%M:%S")

A couple of things to note:

  1. App checks in every couple minutes, so for testing the search only checks for events older than 30 seconds ago as I know there are events older than that.
  2. Threshold field is included in stats to verify value is in fact evaled correctly
  3. Taking out the where function will display results as expected

  4. I have another search using inputlookup that does work using the same type of format:

    | inputlookup hosts.csv
    | eval drop_off=now()-1728000
    | where latest < drop_off
    | stats values(latest) as latest by hostname
    | outputlookup hosts_dropoff.csv
    Any thoughts as to why I am getting these results? As I know inputlookup works for another case, I could apply it to this search but would rather not add another step to this process.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

cshadduck
Explorer
‎08-13-2019 08:46 AM

So I am at a loss as to why it is working now but it simply needed spaces before and after the < sign. I had tried all these combinations but for whatever reason it started working this morning. Maybe it had something to do with the other changes to the search in combination with that. Whatever the case it is working now:

index=main sourcetype="app:agent" hostname IN (host1 host2 host3)
 | eval hostname=upper(hostname)
 | eval threshold=now()-30
 | stats max(_time) as LastCheckin values(threshold) by computer_name
 | where LastCheckin < threshold
 | timeformat LastCheckin=strftime(LastCheckin,"%m-%d-%Y %H:%M:%S")

Thanks for all the help everyone.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

cshadduck
Explorer
‎08-13-2019 08:46 AM

So I am at a loss as to why it is working now but it simply needed spaces before and after the < sign. I had tried all these combinations but for whatever reason it started working this morning. Maybe it had something to do with the other changes to the search in combination with that. Whatever the case it is working now:

index=main sourcetype="app:agent" hostname IN (host1 host2 host3)
 | eval hostname=upper(hostname)
 | eval threshold=now()-30
 | stats max(_time) as LastCheckin values(threshold) by computer_name
 | where LastCheckin < threshold
 | timeformat LastCheckin=strftime(LastCheckin,"%m-%d-%Y %H:%M:%S")

Thanks for all the help everyone.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎08-13-2019 10:15 AM

This is wrong and cannot (and therefore DOES not) work. You DO NOT have any field named threshold. That is the whole problem. See my answer below (which was modified since first posting) for a complete fix.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎08-12-2019 04:19 PM

You should never use latest(_time) but instead always max(_time); also, use fieldformat be sure that you maintain integer aspect of time fields. The main problem is that you did not name threshold so the field created is values(threshold). This still may not working because values() creates a multivalue field, perhaps even when there is only 1. Try this:

index=main sourcetype="app:agent" hostname IN("host1", "host2", "host3")
| eval hostname=upper(hostname)
| eval threshold=now()-30
| stats latest(_time) as LastCheckin max(threshold) AS threshold BY computer_name
| where LastCheckin<threshold
| fieldformat LastCheckin=strftime(LastCheckin,"%m-%d-%Y %H:%M:%S")
0 Karma
Reply
Solved! Jump to solution

cshadduck
Explorer
‎08-12-2019 06:39 PM

Thanks, I like fieldformat as it makes more sense. Why is max(_time) better than latest(_time)?

As for the results, it is still not filtering the events.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎08-13-2019 07:02 AM

Using max has half the work and in the past has actually been more reliable.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎08-13-2019 07:04 AM

This is not working because you did not name threshold so it has the name values(threshold) and also values() creates a multivalue field, perhaps even when there is only 1. Try my updated answer.

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...