Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is the eval if statement in my search not producing any results if I add anything more with the AND operation?

mgrosholz
Path Finder
‎08-17-2016 10:54 AM

I am doing a search on two sourcetypes and looking for data that matches multiple parts of a field called method.
The two sourcetypes and first eval/case function work properly.
The second function fails if I add any more to the if statement with the AND operation.<--fails as in does not show any data.
The last part works with the stats/path if I remove the if statement that is causing trouble. 

sourcetype="A" OR sourcetype="B"
| eval HOST=case(sourcetype="A",host,sourcetype="B",host2)
| eval foo=if((method="X" AND method="Y" ...), "Suspect", null()) 
| stats values(foo) count(path) as PATH by HOST
| where PATH>=10
Reply

sundareshr
Legend
‎08-17-2016 07:49 PM

See if this works for you

    sourcetype="A" OR sourcetype="B"
    | eval HOST=case(sourcetype="A",host,sourcetype="B",host2)
    | stats values(method) as method count(path) as PATH  by host
    | eval foo=if(mvfind(method,"X")>=0 AND mvfind(method,"Y")>=0, "found", "didnotfind")
    | where PATH>=10 
    | fields - method
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎08-17-2016 11:05 AM

The eval is executed per event, so on a single event, method can never be X AND Y at the same time...?

Reply

mgrosholz
Path Finder
‎08-17-2016 11:16 AM

I understand the confusion. I am not looking for a single event, rather multiple events.

i.e. A large group of events that show results by HOST, and if that HOST has events in method as X and Y it displays the data.

Essentially, I am looking for a pattern and displaying results when that pattern is found.

Is this a clearer explanation?

0 Karma
Reply

somesoni2
Revered Legend
‎08-17-2016 11:05 AM

The expression method="X" AND method="Y" will never be true as method can be either X or Y in same event.
If you're looking to match that field method contains X and Y, then try like this

sourcetype="A" OR sourcetype="B"
| eval HOST=case(sourcetype="A",host,sourcetype="B",host2)
| eval foo=if((match(method,"X") AND match(method,"Y")), "Suspect", null()) 
| stats values(foo) count(path) as PATH by HOST
| where PATH>=10
0 Karma
Reply

sundareshr
Legend
‎08-17-2016 10:58 AM

Since method is a single field, you should try OR instead of AND. The AND condition will not be true,

0 Karma
Reply

mgrosholz
Path Finder
‎08-17-2016 11:01 AM

The problem is I need that field to match on every part I AND.
i.e. method must equal X,Y,Z,... to trigger/pull results.

0 Karma
Reply

sundareshr
Legend
‎08-17-2016 11:14 AM

Is method extracted as a multi-value field? If yes, try this

... | eval foo=if(isnotnull(mvfind(method,"X")) AND isnotnull(mvfind(method,"Y"))...
0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...