Splunk Search

double fields If Statements

Path Finder

Hello Guys,

i try to generate different fields using if 2.

I would like to write a query which looks at the following:

if sender==x then eval field_a==time_a and eval field_b==time_b
if else sender===y then eval field_x==time and eval field_y==time_y

To the general scenario I want to calculate the duration of the processing of log files. For this log files are sent from a server_a to a server_b where they are processed and sent back to server_a.

Here I want to write a query which calculates how long the file needs from server_a to server_b... how long from server_b to server_a and total duration... speaks server_a -> server_b -> server_a

0 Karma

Esteemed Legend

Like this:

... | eval field_a = if(sender=="x", time_a, null()), field_b = if(sender=="x", null()), field_x = if(sender=="y", time_x, null(), field_y = if(sender=="y", time_y, null())
0 Karma


HI mklhs,
it isn't so clear for me the values when the if conditions are false:
in Splunk you use the if condition in an eval command, inserting the condition to verify and the values for condition=true and condition=false:

| eval field=if(condition,value_for condition_true,value_for condition_false)

Anyway, you can use if condition in an eval command, something like this (using the value "no time" when the if condition is false:

| eval field_a=if(sender="x",time_a,"no time"), field_b=if(sender="x",time_b,"no time"), field_x=if(sender="y",time_x,"no time"), field_y=if(sender="y",time_y,"no time")
| ...

You can see more at https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions


0 Karma

Path Finder

Thank you very much for your answer! Unfortunately it is not what I am looking for. I would like to set up a monitoring to detect if the latency of the file processing is too high. I have to calculate the time from server_a to server_b and back again. Per direction and in total. I can identify the event running from server_a -> server_b -> server_a by a unique id. I calculate the duration for 3 possible event_types in my current query, but so far I can't tell if the calculated duration is valid from server_a to server_b or from server_b to server_a.

0 Karma


-HI @mklhs,
could you share a sample?
I try to interpret you need:
you have a transation identified by an ID that's the same in all events on server_a and server_b,
you want to calculate the time difference between these two servers (latency) and then the time difference from server_b to server_a,
to calculate the first you have two events with the same ID=12345 like these
2019-11-11 12:09:20 server_a 12345
2019-11-11 12:09:30 server_b 12345
so the difference is 10 seconds.
Then you have:
2019-11-11 12:09:40 server_b 12345
2019-11-11 12:09:55 server_a 12345
so the difference is 15 seconds.
You want to display these latecies, is it correct?

So you can run something like this:

| makeresults | eval host="server_a", time="2019-11-11 12:10:10", ID="12345"
| append [ | makeresults | eval host="server_b", time="2019-11-11 12:10:20", ID="12345" ]
| append [ | makeresults | eval host="server_b", time="2019-11-11 12:10:30", ID="12345" ]
| append [ | makeresults | eval host="server_a", time="2019-11-11 12:10:45", ID="12345" ]
| stats first(eval(if(host="server_a",time,NULL))) AS first_a first(eval(if(host="server_b",time,NULL))) AS first_b last(eval(if(host="server_a",time,NULL))) AS last_a last(eval(if(host="server_b",time,NULL))) AS last_b BY ID
| eval latency_1=strptime(first_b,"%Y-%m-%d %H:%M:%S")-strptime(first_a,"%Y-%m-%d %H:%M:%S"), latency_2=strptime(last_a,"%Y-%m-%d %H:%M:%S")-strptime(last_b,"%Y-%m-%d %H:%M:%S")


0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!