Other Usage
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to Break the eval condition in 3 line?

man03359
Communicator
‎08-30-2023 03:10 AM

Hi All,

I am trying to build a search query for an alert and below is the condition-

| eval status=if(((src="DB_Rebuild_Indexes_UpdateStats_MDM" OR src="DB_Stop_IndexRebuild_Jobs") AND (JobExecTime>39600 OR message="failed")) 
OR (src="RetailAutonomyDataSync" AND (JobExecTime>21600 OR message="failed")) 
OR (src="RetailAutonomyPromotionsDataSync" AND (JobExecTime>4000 OR message="failed"))
OR (src="retailautonomyfileage" AND (((Fname="mdmdat" OR Fname="omsdat") AND Age>240) OR (Fname="promodat" AND Age>120)))
OR (src="retaillineitemdup" AND Count>0)
OR (src="esbmessagecount" AND MsgCount>5),"Down","Up")
| stats count count(eval(status="Down")) AS Down latest(_time) as _time BY Device Store src host Chain StoreNum Domain

 But I am facing difficulty at line 4-

OR (src="retailautonomyfileage" AND (((Fname="mdmdat" OR Fname="omsdat") AND Age>240) OR (Fname="promodat" AND Age>120)))It is reading all 3 filenames as one (Fname).

It is taking all 3 file names (Fname=mdmdat,omsdat,promodat) as one and hence I am getting the incorrect count for the src=retailautonomyfileage

I am trying to break the condition of line no 4 into 3 parts within the eval condition itself.

 

Thanks in advance.

Labels (1)
Labels
0 Karma
Reply

man03359
Communicator
‎08-30-2023 04:17 AM

Here is the attachment of the output.

Hope this helps.

Preview file
106 KB
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-30-2023 03:26 AM

Hi @man03359 ,

let me understand: the Fname field is a single value or a multivalue field, before the stats command?

If it's a multivalue, you have to separate them using "mvexpand" command (https://docs.splunk.com/Documentation/SCS/current/SearchReference/MvexpandCommandOverview#:~:text=Th....).

If it's a single value field there isn't no reasong to have the described behaviour.

Anyway, (I cannot test but it should work), if it's a single value field, you could try to use separated evals:

| eval 
   status=if(((src="DB_Rebuild_Indexes_UpdateStats_MDM" OR src="DB_Stop_IndexRebuild_Jobs") AND (JobExecTime>39600 OR message="failed")),"Down",""),
   (src="RetailAutonomyDataSync" AND (JobExecTime>21600 OR message="failed")),"Down",""), 
   (src="RetailAutonomyPromotionsDataSync" AND (JobExecTime>4000 OR message="failed")),"Down",""),
   (src="retailautonomyfileage" AND (((Fname="mdmdat" OR Fname="omsdat") AND Age>240) OR (Fname="promodat" AND Age>120)))
OR (src="retaillineitemdup" AND Count>0)
OR (src="esbmessagecount" AND MsgCount>5),"Down","")
| stats count count(eval(status="Down")) AS Down latest(_time) as _time BY Device Store src host Chain StoreNum Domain

Ciao.

Giuseppe

0 Karma
Reply

man03359
Communicator
‎08-30-2023 03:55 AM

Is Fname is a multivalue field having 3 values : mdmdat, omsdat and promodat.

The problem is in this line -

(src="retailautonomyfileage" AND (((Fname="mdmdat" OR Fname="omsdat") AND Age>240) OR (Fname="promodat" AND Age>120)))

It is giving the count of src incorrect, it is reading all the 3 fnames as one.

I am trying to break them in 3 conditions using Fname so that it counts the individual Fname at once.

eg. (src="retailautonomyfileage" AND Fname="mdmdat" AND Age>240) lly for other 2 Fnames.

 

Hope I am able to explain.

 

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-30-2023 04:00 AM

Hi @man03359 ,

ok, it can have one of the three values or there are more values for the same event?

Could you share a sample of your logs, highlighting the values?

Ciao.

Giuseppe

0 Karma
Reply

man03359
Communicator
‎08-30-2023 04:16 AM

I am attaching the output and the entire search query -

 

The count for source (src=retailautonomyfileage) is coming as 18 instead of 6 only because it is counting all the 3 Fnames at once. 

This can come in 3 separate counts for 3 Fnames.

Search query-

index="idx-stores-misc" source="C:\\TJXLogs\\Verify\\SQLLogs\\*" sourcetype="Store:SQLLogs:json" host=stp* (host="*.stp.local" OR host="*.tjxcorp.net") NOT host="stp-675*"
| rex field=host "^(?<Device>[^\.]+)\.(?<Domain>.*)$"
| rex field=source "SQLLogs.(?<src>\D+)_"
| rex field=message "job.(?<message>\w+)."
| lookup Stores_Inventory Device OUTPUT DeviceType Store Chain StoreNum
| where DeviceType="SQL" AND NOT src="sqlserveruptime" AND NOT src="ordertracking"
| eval status=if(((src="DB_Rebuild_Indexes_UpdateStats_MDM" OR src="DB_Stop_IndexRebuild_Jobs") AND (JobExecTime>39600 OR message="failed")) 
OR (src="RetailAutonomyDataSync" AND (JobExecTime>21600 OR message="failed")) 
OR (src="RetailAutonomyPromotionsDataSync" AND (JobExecTime>4000 OR message="failed"))
OR (src="retailautonomyfileage" AND (((Fname="mdmdat" OR Fname="omsdat") AND Age>240) OR (Fname="promodat" AND Age>120)))
OR (src="retaillineitemdup" AND Count>0)
OR (src="esbmessagecount" AND MsgCount>5),"Down","Up")
| stats count count(eval(status="Down")) AS Down latest(_time) as _time BY Device Store src host Chain StoreNum Domain
| eval Status=if(Down=count AND count>0, "0", "1")

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...