Splunk Search

Why is the eval if statement in my search not producing any results if I add anything more with the AND operation?

mgrosholz
Path Finder

I am doing a search on two sourcetypes and looking for data that matches multiple parts of a field called method.
The two sourcetypes and first eval/case function work properly.
The second function fails if I add any more to the if statement with the AND operation.<--fails as in does not show any data.
The last part works with the stats/path if I remove the if statement that is causing trouble.

sourcetype="A" OR sourcetype="B"
| eval HOST=case(sourcetype="A",host,sourcetype="B",host2)
| eval foo=if((method="X" AND method="Y" ...), "Suspect", null()) 
| stats values(foo) count(path) as PATH by HOST
| where PATH>=10

sundareshr
Legend

See if this works for you

    sourcetype="A" OR sourcetype="B"
    | eval HOST=case(sourcetype="A",host,sourcetype="B",host2)
    | stats values(method) as method count(path) as PATH  by host
    | eval foo=if(mvfind(method,"X")>=0 AND mvfind(method,"Y")>=0, "found", "didnotfind")
    | where PATH>=10 
    | fields - method 

s2_splunk
Splunk Employee
Splunk Employee

The eval is executed per event, so on a single event, method can never be X AND Y at the same time...?

mgrosholz
Path Finder

I understand the confusion. I am not looking for a single event, rather multiple events.

i.e. A large group of events that show results by HOST, and if that HOST has events in method as X and Y it displays the data.

Essentially, I am looking for a pattern and displaying results when that pattern is found.

Is this a clearer explanation?

0 Karma

somesoni2
Revered Legend

The expression method="X" AND method="Y" will never be true as method can be either X or Y in same event.
If you're looking to match that field method contains X and Y, then try like this

sourcetype="A" OR sourcetype="B"
| eval HOST=case(sourcetype="A",host,sourcetype="B",host2)
| eval foo=if((match(method,"X") AND match(method,"Y")), "Suspect", null()) 
| stats values(foo) count(path) as PATH by HOST
| where PATH>=10
0 Karma

sundareshr
Legend

Since method is a single field, you should try OR instead of AND. The AND condition will not be true,

0 Karma

mgrosholz
Path Finder

The problem is I need that field to match on every part I AND.
i.e. method must equal X,Y,Z,... to trigger/pull results.

0 Karma

sundareshr
Legend

Is method extracted as a multi-value field? If yes, try this

... | eval foo=if(isnotnull(mvfind(method,"X")) AND isnotnull(mvfind(method,"Y"))...
0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...