Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

help with map command needed

damucka
Builder
‎08-16-2019 02:13 AM

I have a custom command "sleep60", which is a python script doing as per name.
Now, I would like to execute it in my alert SPL only then, if the variable "decision" = 1
I tried the following (just a shortened example):

  |makeresults | eval v="A"|eval decision=0 | where decision=1 | sleep60

and it does not work as I want. Okay, the v is not set at the end, but still the sleep60 gets executed, which is not what I would expect. So I thought I would trick with the map a bit, but this command is the one I have quite a respect, ... so I did not manage. I thought I would return the name of my command, sleep60, depending on the input "decision" variable and then execute it somehow, or not.
Here is what I came up with:

I |makeresults | eval decision=1 
|map maxsearches=20 search="|makeresults|eval t=$decision$| eval val=case(t=1,\"sleep60\",1<2,\"\") | return $val"

It properly returns the sleep60 or empty string depending on decision, .. but now I would need to put it into the command flow somehow to get it executed or skipped.

Any ideas?

Kind Regards,
Kamil

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Sukisen1981
Champion
‎08-18-2019 04:36 AM

your query does return sleep60 under a field named search, why not use it for further processing - 

|makeresults | eval decision=2 
 |map maxsearches=20 search="|makeresults|eval t=$decision$| eval val=case(t=1,\"sleep60\",1<2,\"\") | return $val" 
| where search="sleep60"
| eval x=123

so the eval x=123 fires on decision=1 only..

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Sukisen1981
Champion
‎08-18-2019 04:36 AM

your query does return sleep60 under a field named search, why not use it for further processing - 

|makeresults | eval decision=2 
 |map maxsearches=20 search="|makeresults|eval t=$decision$| eval val=case(t=1,\"sleep60\",1<2,\"\") | return $val" 
| where search="sleep60"
| eval x=123

so the eval x=123 fires on decision=1 only..

0 Karma
Reply
Solved! Jump to solution

damucka
Builder
‎08-19-2019 06:16 AM

Yes, but actually I want the sleep60 python script to be executed on decision=1.
Anyway, I found the following way to sleep 60 seconds in splunk eventually:

| table host_to_trigger decision ANOMALY_ID triggertime RTEstatus   
 | where isnotnull(host_to_trigger) and isnotnull(decision) and isnotnull(ANOMALY_ID) and isnull(RTEstatus)
 | map maxsearches=20 search="dbxquery query=\"call itoa_admin.Z_PLEASE_SLEEP(60,?,?)\" connection=\"HANA_MLBSO\"  |appendcols[|makeresults| eval decision=\"$decision$\" | eval triggertime=\"$triggertime$\" |  eval ANOMALY_ID = \"$ANOMALY_ID$\" | eval host_to_trigger=\"$host_to_trigger$\" | eval RTEstatus=\"$RTEstatus$\"  ] "

where the Z_PLEASE_SLEEP is the DB procedure called from the dbxquery, called out of the map, controlled by the where ....

Kind Regards,
Kamil

0 Karma
Reply
Get Updates on the Splunk Community!

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...

4 Ways the Splunk Community Helps You Prepare for .conf25

.conf25 is right around the corner, and whether you’re a first-time attendee or a seasoned Splunker, the ...

Enhance Your Splunk App Development: New Tools & Support

UCC FrameworkAdd-on Builder has been around for quite some time. It helps build Splunk apps faster, but it ...
Top