Splunk Search

double fields If Statements

mklhs
Path Finder

Hello Guys,

i try to generate different fields using if 2.

I would like to write a query which looks at the following:

if sender==x then eval field_a==time_a and eval field_b==time_b
if else sender===y then eval field_x==time and eval field_y==time_y

To the general scenario I want to calculate the duration of the processing of log files. For this log files are sent from a server_a to a server_b where they are processed and sent back to server_a.

Here I want to write a query which calculates how long the file needs from server_a to server_b... how long from server_b to server_a and total duration... speaks server_a -> server_b -> server_a

0 Karma

woodcock
Esteemed Legend

Like this:

... | eval field_a = if(sender=="x", time_a, null()), field_b = if(sender=="x", null()), field_x = if(sender=="y", time_x, null(), field_y = if(sender=="y", time_y, null())
0 Karma

gcusello
SplunkTrust
SplunkTrust

HI mklhs,
it isn't so clear for me the values when the if conditions are false:
in Splunk you use the if condition in an eval command, inserting the condition to verify and the values for condition=true and condition=false:

| eval field=if(condition,value_for condition_true,value_for condition_false)

Anyway, you can use if condition in an eval command, something like this (using the value "no time" when the if condition is false:

your_search
| eval field_a=if(sender="x",time_a,"no time"), field_b=if(sender="x",time_b,"no time"), field_x=if(sender="y",time_x,"no time"), field_y=if(sender="y",time_y,"no time")
| ...

You can see more at https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions

Ciao.
Giuseppe

0 Karma

mklhs
Path Finder

Thank you very much for your answer! Unfortunately it is not what I am looking for. I would like to set up a monitoring to detect if the latency of the file processing is too high. I have to calculate the time from server_a to server_b and back again. Per direction and in total. I can identify the event running from server_a -> server_b -> server_a by a unique id. I calculate the duration for 3 possible event_types in my current query, but so far I can't tell if the calculated duration is valid from server_a to server_b or from server_b to server_a.

0 Karma

gcusello
SplunkTrust
SplunkTrust

-HI @mklhs,
could you share a sample?
I try to interpret you need:
you have a transation identified by an ID that's the same in all events on server_a and server_b,
you want to calculate the time difference between these two servers (latency) and then the time difference from server_b to server_a,
to calculate the first you have two events with the same ID=12345 like these
2019-11-11 12:09:20 server_a 12345
2019-11-11 12:09:30 server_b 12345
so the difference is 10 seconds.
Then you have:
2019-11-11 12:09:40 server_b 12345
2019-11-11 12:09:55 server_a 12345
so the difference is 15 seconds.
You want to display these latecies, is it correct?

So you can run something like this:

| makeresults | eval host="server_a", time="2019-11-11 12:10:10", ID="12345"
| append [ | makeresults | eval host="server_b", time="2019-11-11 12:10:20", ID="12345" ]
| append [ | makeresults | eval host="server_b", time="2019-11-11 12:10:30", ID="12345" ]
| append [ | makeresults | eval host="server_a", time="2019-11-11 12:10:45", ID="12345" ]
| stats first(eval(if(host="server_a",time,NULL))) AS first_a first(eval(if(host="server_b",time,NULL))) AS first_b last(eval(if(host="server_a",time,NULL))) AS last_a last(eval(if(host="server_b",time,NULL))) AS last_b BY ID
| eval latency_1=strptime(first_b,"%Y-%m-%d %H:%M:%S")-strptime(first_a,"%Y-%m-%d %H:%M:%S"), latency_2=strptime(last_a,"%Y-%m-%d %H:%M:%S")-strptime(last_b,"%Y-%m-%d %H:%M:%S")

Ciao.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...