Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: streamstats and eval combination to find error
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
streamstats and eval combination to find error
Hi
I have created below dummy sample data-
|makeresults|eval a="1328,1345"
|append[|makeresults| eval state="added", add_field="1855"]
|append[|makeresults| eval state="added", add_field="1860"]
|append[|makeresults| eval a="1855,1328,1860,1345"]
|append[|makeresults| eval state="removed", remove_field="1855"]
|append[|makeresults| eval a="1855,1328,1860,1345"]
Now If you look at data whenever state is added it should add the number to previous `a` field and if it has not added then it should show error field as =1. similarly for state=removed, it should remove that number from previous a field and if not able to removed then it should show error field as =1.
In above case it has successfully added to a field but unsuccess in removing from field a hence last event should show error field as =1.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
At what stage should it check whether its added/removed ? Is it after each addition/removal
For e.g. in the below sample data, should it check after row 2 or only after row 3 ?
Also could there be successive added/removed status ?
e.g
row 1 : added
row2 : removed
row3: added
with the existing data and assumptions, try below
|makeresults|eval a="1328,1345"
|append[|makeresults| eval state="added", add_field="1855"]
|append[|makeresults| eval state="added", add_field="1860"]
|append[|makeresults| eval a="1855,1328,1860,1345"]
|append[|makeresults| eval state="removed", remove_field="1855"]
|append[|makeresults| eval a="1855,1328,1860,1345"]
|eval exists=if(isnull(a),0,1)
|reverse| filldown a |reverse|filldown state
|eval a_list=a|makemv a_list delim=","
|eval add_error=if(isnotnull(add_field) AND isnull(mvfind(a_list,add_field)),1,0)
|eval remove_error=if(isnotnull(remove_field) AND isnotnull(mvfind(a_list,remove_field)),1,0)
|eventstats dc(add_error) as add_error_count,dc(remove_error) as remove_error_count by a,state
|eval a=if(exists==1,a,null())
|eval error=if(add_error_count > 1 OR remove_error_count > 1,1,0)
|eval error=if(exists==1,error,null()),state=if(exists==1,state,null())
|fields - a_list,*_error*,exists
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for reply @renjith_nair
So whenever `a` field has value I need to check based on its all above addition/removal status except for first event.
Yes there can be successive added/removed status.
I need to confirm as per status of addition/removal does it gives correct results in field-`a` if not then highlight it as error.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you try the above and is it working?
What goes around comes around. If it helps, hit it with Karma 🙂
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
