Splunk Search

null variables in eval if

Path Finder

I'm trying to list the last logged event for each permutation of my two logged fields (columns). If the last event was too long ago, I want to output "dead" for that combination of the two columns.

My queries thus far are using eval with if. However I can't get the if statement to work with my column values.

If I make a dummy query,

hello_world_name=* host=* | stats max(timestamp) by hello_world_name, host | eval awol=if(1>0,"dead","live") | fields hello_world_name, host, awol, max(timestamp)

This will output "dead", because 1 > 0 evaluates to true. That seems right ! 🙂

However, this one doesn't work:

hello_world_name=* host=* | stats max(timestamp) by hello_world_name, host | eval awol=if(max(timestamp)<0,"dead","live") | fields hello_world_name, host, awol, max(timestamp)

What happens is, the value in the predicate of the "if" always evaluates to false.

  • max(timestamp) compared to anything is always false (or null?)
  • if I replace the tested value with "timestamp", it still doesn't work - "timestamp" compared to anything is always false (or null?)

This one doesn't work either:

hello_world_name=* host=* | stats max(timestamp) as bob by hello_world_name, host | eval awol=if(bob>now(),"dead","live") | fields hello_world_name, host, awol, bob

What happens is, even though "bob" is a real value, as evidenced by the column labeled "bob", no matter if the predicate is set "bob>now()" or "bob<now()", the answer is always as if it is false - the value of awol is "live".

What is the deal? Am I using eval incorrectly? How do I test fields from elsewhere in the query?

Tags (2)
1 Solution

Path Finder

timestamp is still a string, and even max(timestamp) is still a string. It looks like when comparing against integers the answer will always be false.

Ways around this:

  • use _time instead of the original parsed timestamp. This will be Splunk's guess at the timestamp. I think it might be derived from the field it recognizes as a timestamp.
  • parse the timestamp field into an integer with strptime . This can be a little dicey, so it's more reliable to use _time

View solution in original post

0 Karma

Path Finder

timestamp is still a string, and even max(timestamp) is still a string. It looks like when comparing against integers the answer will always be false.

Ways around this:

  • use _time instead of the original parsed timestamp. This will be Splunk's guess at the timestamp. I think it might be derived from the field it recognizes as a timestamp.
  • parse the timestamp field into an integer with strptime . This can be a little dicey, so it's more reliable to use _time

View solution in original post

0 Karma

Path Finder

query:

hello_world_name=* host=* | stats max(timestamp) by hello_world_name, host | eval awol=if(max(timestamp)>0,"dead","live") | fields hello_world_name, host, awol, max(timestamp)

result:

hello_world_name    host    awol    max(timestamp)
1   inabanoirousagi live    2015-02-04 03:32:32,910
bloobloo    inabanoirousagi live    2015-06-18 21:16:43,910
fnord   inabanoirousagi live    2015-06-17 20:43:20,860

query:

hello_world_name=* host=* | stats max(timestamp) as bob by hello_world_name, host | eval awol=if(bob>now(),"dead","live") | fields hello_world_name, host, awol, bob

result:

hello_world_name    host    awol    bob
1   inabanoirousagi live    2015-02-04 03:32:32,910
bloobloo    inabanoirousagi live    2015-06-18 21:16:43,910
fnord   inabanoirousagi live    2015-06-17 20:43:20,860
0 Karma

Esteemed Legend

As @martin_mueller says, there are many fundamental problems with your search including all that he notes but even if everything that he notes is fixed, any time you compare an event's timestamp to now(), it should always be less than; your example is looking for events in the future than have not occurred yet! >now()!

0 Karma

Esteemed Legend

Some how my answer got clipped; it is repaired now.

0 Karma

Path Finder

Thanks woodcock, but that is not the problem. As I mentioned in the text of my question,

What happens is, even though "bob" is
a real value, as evidenced by the
column labeled "bob", no matter if the
predicate is set "bob>now()" or
"bob if it is false - the value of awol is
"live".

0 Karma

SplunkTrust
SplunkTrust

There's a key misunderstanding in your query.

If a host is "dead", ie has no events in your time range, there won't be any events in your time range. As a result, it won't even have a row to evaluate the awol value for that host.

Another issue, what format is your timestamp field using? Comparing now() with a string won't make sense, for example.

0 Karma

Path Finder

I'm sorry, I think I left out a key element which I thought would be implied by the fields in the query.

There will be events - they will just be old. My intention is for the final version of the query to test "timestamp" for its difference from now(). For example something like:

if (max(timestamp - now()) > 600, ...
0 Karma

Path Finder

try adding something like this after your stats command:

| eval awol = max(timestamp)
| table awol

That will show you what awol is calculating to and you can then adjust accordingly.

0 Karma

Path Finder

Thanks, but the "fields" clause already shows the values -- they are how I know the predicate isn't doing what I want.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!