Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

help with map command needed

damucka
Builder
‎08-16-2019 02:13 AM

I have a custom command "sleep60", which is a python script doing as per name.
Now, I would like to execute it in my alert SPL only then, if the variable "decision" = 1
I tried the following (just a shortened example):

  |makeresults | eval v="A"|eval decision=0 | where decision=1 | sleep60

and it does not work as I want. Okay, the v is not set at the end, but still the sleep60 gets executed, which is not what I would expect. So I thought I would trick with the map a bit, but this command is the one I have quite a respect, ... so I did not manage. I thought I would return the name of my command, sleep60, depending on the input "decision" variable and then execute it somehow, or not.
Here is what I came up with:

I |makeresults | eval decision=1 
|map maxsearches=20 search="|makeresults|eval t=$decision$| eval val=case(t=1,\"sleep60\",1<2,\"\") | return $val"

It properly returns the sleep60 or empty string depending on decision, .. but now I would need to put it into the command flow somehow to get it executed or skipped.

Any ideas?

Kind Regards,
Kamil

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Sukisen1981
Champion
‎08-18-2019 04:36 AM

your query does return sleep60 under a field named search, why not use it for further processing - 

|makeresults | eval decision=2 
 |map maxsearches=20 search="|makeresults|eval t=$decision$| eval val=case(t=1,\"sleep60\",1<2,\"\") | return $val" 
| where search="sleep60"
| eval x=123

so the eval x=123 fires on decision=1 only..

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Sukisen1981
Champion
‎08-18-2019 04:36 AM

your query does return sleep60 under a field named search, why not use it for further processing - 

|makeresults | eval decision=2 
 |map maxsearches=20 search="|makeresults|eval t=$decision$| eval val=case(t=1,\"sleep60\",1<2,\"\") | return $val" 
| where search="sleep60"
| eval x=123

so the eval x=123 fires on decision=1 only..

0 Karma
Reply
Solved! Jump to solution

damucka
Builder
‎08-19-2019 06:16 AM

Yes, but actually I want the sleep60 python script to be executed on decision=1.
Anyway, I found the following way to sleep 60 seconds in splunk eventually:

| table host_to_trigger decision ANOMALY_ID triggertime RTEstatus   
 | where isnotnull(host_to_trigger) and isnotnull(decision) and isnotnull(ANOMALY_ID) and isnull(RTEstatus)
 | map maxsearches=20 search="dbxquery query=\"call itoa_admin.Z_PLEASE_SLEEP(60,?,?)\" connection=\"HANA_MLBSO\"  |appendcols[|makeresults| eval decision=\"$decision$\" | eval triggertime=\"$triggertime$\" |  eval ANOMALY_ID = \"$ANOMALY_ID$\" | eval host_to_trigger=\"$host_to_trigger$\" | eval RTEstatus=\"$RTEstatus$\"  ] "

where the Z_PLEASE_SLEEP is the DB procedure called from the dbxquery, called out of the map, controlled by the where ....

Kind Regards,
Kamil

0 Karma
Reply
Get Updates on the Splunk Community!

Getting Started with Splunk Artificial Intelligence, Insights for Nonprofits, and ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Observability Cloud’s AI Assistant in Action Series: Identifying Unknown ...

Agentic AI powers the Splunk AI Assistant within the Splunk Observability Cloud interface to help you quickly ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
Top