Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

help with map command needed

damucka
Builder
‎08-16-2019 02:13 AM

I have a custom command "sleep60", which is a python script doing as per name.
Now, I would like to execute it in my alert SPL only then, if the variable "decision" = 1
I tried the following (just a shortened example):

  |makeresults | eval v="A"|eval decision=0 | where decision=1 | sleep60

and it does not work as I want. Okay, the v is not set at the end, but still the sleep60 gets executed, which is not what I would expect. So I thought I would trick with the map a bit, but this command is the one I have quite a respect, ... so I did not manage. I thought I would return the name of my command, sleep60, depending on the input "decision" variable and then execute it somehow, or not.
Here is what I came up with:

I |makeresults | eval decision=1 
|map maxsearches=20 search="|makeresults|eval t=$decision$| eval val=case(t=1,\"sleep60\",1<2,\"\") | return $val"

It properly returns the sleep60 or empty string depending on decision, .. but now I would need to put it into the command flow somehow to get it executed or skipped.

Any ideas?

Kind Regards,
Kamil

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Sukisen1981
Champion
‎08-18-2019 04:36 AM

your query does return sleep60 under a field named search, why not use it for further processing - 

|makeresults | eval decision=2 
 |map maxsearches=20 search="|makeresults|eval t=$decision$| eval val=case(t=1,\"sleep60\",1<2,\"\") | return $val" 
| where search="sleep60"
| eval x=123

so the eval x=123 fires on decision=1 only..

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Sukisen1981
Champion
‎08-18-2019 04:36 AM

your query does return sleep60 under a field named search, why not use it for further processing - 

|makeresults | eval decision=2 
 |map maxsearches=20 search="|makeresults|eval t=$decision$| eval val=case(t=1,\"sleep60\",1<2,\"\") | return $val" 
| where search="sleep60"
| eval x=123

so the eval x=123 fires on decision=1 only..

0 Karma
Reply
Solved! Jump to solution

damucka
Builder
‎08-19-2019 06:16 AM

Yes, but actually I want the sleep60 python script to be executed on decision=1.
Anyway, I found the following way to sleep 60 seconds in splunk eventually:

| table host_to_trigger decision ANOMALY_ID triggertime RTEstatus   
 | where isnotnull(host_to_trigger) and isnotnull(decision) and isnotnull(ANOMALY_ID) and isnull(RTEstatus)
 | map maxsearches=20 search="dbxquery query=\"call itoa_admin.Z_PLEASE_SLEEP(60,?,?)\" connection=\"HANA_MLBSO\"  |appendcols[|makeresults| eval decision=\"$decision$\" | eval triggertime=\"$triggertime$\" |  eval ANOMALY_ID = \"$ANOMALY_ID$\" | eval host_to_trigger=\"$host_to_trigger$\" | eval RTEstatus=\"$RTEstatus$\"  ] "

where the Z_PLEASE_SLEEP is the DB procedure called from the dbxquery, called out of the map, controlled by the where ....

Kind Regards,
Kamil

0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top