Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is the eval if statement in my search not producing any results if I add anything more with the AND operation?

mgrosholz
Path Finder
‎08-17-2016 10:54 AM

I am doing a search on two sourcetypes and looking for data that matches multiple parts of a field called method.
The two sourcetypes and first eval/case function work properly.
The second function fails if I add any more to the if statement with the AND operation.<--fails as in does not show any data.
The last part works with the stats/path if I remove the if statement that is causing trouble. 

sourcetype="A" OR sourcetype="B"
| eval HOST=case(sourcetype="A",host,sourcetype="B",host2)
| eval foo=if((method="X" AND method="Y" ...), "Suspect", null()) 
| stats values(foo) count(path) as PATH by HOST
| where PATH>=10
Reply

sundareshr
Legend
‎08-17-2016 07:49 PM

See if this works for you

    sourcetype="A" OR sourcetype="B"
    | eval HOST=case(sourcetype="A",host,sourcetype="B",host2)
    | stats values(method) as method count(path) as PATH  by host
    | eval foo=if(mvfind(method,"X")>=0 AND mvfind(method,"Y")>=0, "found", "didnotfind")
    | where PATH>=10 
    | fields - method
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎08-17-2016 11:05 AM

The eval is executed per event, so on a single event, method can never be X AND Y at the same time...?

Reply

mgrosholz
Path Finder
‎08-17-2016 11:16 AM

I understand the confusion. I am not looking for a single event, rather multiple events.

i.e. A large group of events that show results by HOST, and if that HOST has events in method as X and Y it displays the data.

Essentially, I am looking for a pattern and displaying results when that pattern is found.

Is this a clearer explanation?

0 Karma
Reply

somesoni2
Revered Legend
‎08-17-2016 11:05 AM

The expression method="X" AND method="Y" will never be true as method can be either X or Y in same event.
If you're looking to match that field method contains X and Y, then try like this

sourcetype="A" OR sourcetype="B"
| eval HOST=case(sourcetype="A",host,sourcetype="B",host2)
| eval foo=if((match(method,"X") AND match(method,"Y")), "Suspect", null()) 
| stats values(foo) count(path) as PATH by HOST
| where PATH>=10
0 Karma
Reply

sundareshr
Legend
‎08-17-2016 10:58 AM

Since method is a single field, you should try OR instead of AND. The AND condition will not be true,

0 Karma
Reply

mgrosholz
Path Finder
‎08-17-2016 11:01 AM

The problem is I need that field to match on every part I AND.
i.e. method must equal X,Y,Z,... to trigger/pull results.

0 Karma
Reply

sundareshr
Legend
‎08-17-2016 11:14 AM

Is method extracted as a multi-value field? If yes, try this

... | eval foo=if(isnotnull(mvfind(method,"X")) AND isnotnull(mvfind(method,"Y"))...
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk App for Anomaly Detection End of Life Announcment

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...