Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

streamstats and eval combination to find error

ips_mandar
Builder
‎09-30-2020 12:24 AM

Hi
I have created below dummy sample data-

 

|makeresults|eval a="1328,1345"
|append[|makeresults| eval state="added", add_field="1855"]
|append[|makeresults| eval state="added", add_field="1860"]
|append[|makeresults| eval a="1855,1328,1860,1345"]
|append[|makeresults| eval state="removed", remove_field="1855"]
|append[|makeresults| eval a="1855,1328,1860,1345"]

 

Now If you look at data whenever state is added it should add the number to previous `a` field and if it has not added then it should show error field as =1. similarly for state=removed, it should remove that number from previous a field and if not able to removed then  it should show error field as =1.
In above case it has successfully added to a field but unsuccess in removing from field a hence last event should show error field as =1.
Thanks

Labels (1)
Labels
Reply

renjith_nair
Legend
‎09-30-2020 09:23 PM

At what stage should it check whether its added/removed ? Is it after each addition/removal

For e.g. in the below sample data, should it check after row 2 or only after row 3 ?

Also could there be successive added/removed status ?

e.g

row 1 : added

row2 : removed

row3: added

with the existing data and assumptions, try below

|makeresults|eval a="1328,1345"
|append[|makeresults| eval state="added", add_field="1855"]
|append[|makeresults| eval state="added", add_field="1860"]
|append[|makeresults| eval a="1855,1328,1860,1345"]
|append[|makeresults| eval state="removed", remove_field="1855"]
|append[|makeresults| eval a="1855,1328,1860,1345"]
|eval exists=if(isnull(a),0,1)
|reverse| filldown a  |reverse|filldown state
|eval a_list=a|makemv a_list delim=","
|eval add_error=if(isnotnull(add_field) AND isnull(mvfind(a_list,add_field)),1,0)
|eval remove_error=if(isnotnull(remove_field) AND isnotnull(mvfind(a_list,remove_field)),1,0)
|eventstats dc(add_error) as add_error_count,dc(remove_error) as remove_error_count by a,state
|eval a=if(exists==1,a,null())
|eval error=if(add_error_count > 1 OR remove_error_count > 1,1,0)
|eval error=if(exists==1,error,null()),state=if(exists==1,state,null())
|fields - a_list,*_error*,exists

 

 

---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply

ips_mandar
Builder
‎10-01-2020 05:33 AM

Thanks for reply @renjith_nair 
So whenever `a` field has value I need to check based on its all above addition/removal status except for first event.
Yes there can  be successive added/removed status.
I need to confirm as per status of addition/removal does it gives correct results in field-`a` if not then highlight it as error.

0 Karma
Reply

renjith_nair
Legend
‎10-01-2020 10:38 PM

Did you try the above and is it working?

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...