Hi All,
I am trying to build a search query for an alert and below is the condition-
| eval status=if(((src="DB_Rebuild_Indexes_UpdateStats_MDM" OR src="DB_Stop_IndexRebuild_Jobs") AND (JobExecTime>39600 OR message="failed"))
OR (src="RetailAutonomyDataSync" AND (JobExecTime>21600 OR message="failed"))
OR (src="RetailAutonomyPromotionsDataSync" AND (JobExecTime>4000 OR message="failed"))
OR (src="retailautonomyfileage" AND (((Fname="mdmdat" OR Fname="omsdat") AND Age>240) OR (Fname="promodat" AND Age>120)))
OR (src="retaillineitemdup" AND Count>0)
OR (src="esbmessagecount" AND MsgCount>5),"Down","Up")
| stats count count(eval(status="Down")) AS Down latest(_time) as _time BY Device Store src host Chain StoreNum Domain
But I am facing difficulty at line 4-
OR (src="retailautonomyfileage" AND (((Fname="mdmdat" OR Fname="omsdat") AND Age>240) OR (Fname="promodat" AND Age>120)))It is reading all 3 filenames as one (Fname).
It is taking all 3 file names (Fname=mdmdat,omsdat,promodat) as one and hence I am getting the incorrect count for the src=retailautonomyfileage
I am trying to break the condition of line no 4 into 3 parts within the eval condition itself.
Thanks in advance.
Hi @man03359 ,
let me understand: the Fname field is a single value or a multivalue field, before the stats command?
If it's a multivalue, you have to separate them using "mvexpand" command (https://docs.splunk.com/Documentation/SCS/current/SearchReference/MvexpandCommandOverview#:~:text=Th....).
If it's a single value field there isn't no reasong to have the described behaviour.
Anyway, (I cannot test but it should work), if it's a single value field, you could try to use separated evals:
| eval
status=if(((src="DB_Rebuild_Indexes_UpdateStats_MDM" OR src="DB_Stop_IndexRebuild_Jobs") AND (JobExecTime>39600 OR message="failed")),"Down",""),
(src="RetailAutonomyDataSync" AND (JobExecTime>21600 OR message="failed")),"Down",""),
(src="RetailAutonomyPromotionsDataSync" AND (JobExecTime>4000 OR message="failed")),"Down",""),
(src="retailautonomyfileage" AND (((Fname="mdmdat" OR Fname="omsdat") AND Age>240) OR (Fname="promodat" AND Age>120)))
OR (src="retaillineitemdup" AND Count>0)
OR (src="esbmessagecount" AND MsgCount>5),"Down","")
| stats count count(eval(status="Down")) AS Down latest(_time) as _time BY Device Store src host Chain StoreNum Domain
Ciao.
Giuseppe
Is Fname is a multivalue field having 3 values : mdmdat, omsdat and promodat.
The problem is in this line -
(src="retailautonomyfileage" AND (((Fname="mdmdat" OR Fname="omsdat") AND Age>240) OR (Fname="promodat" AND Age>120)))
It is giving the count of src incorrect, it is reading all the 3 fnames as one.
I am trying to break them in 3 conditions using Fname so that it counts the individual Fname at once.
eg. (src="retailautonomyfileage" AND Fname="mdmdat" AND Age>240) lly for other 2 Fnames.
Hope I am able to explain.
Hi @man03359 ,
ok, it can have one of the three values or there are more values for the same event?
Could you share a sample of your logs, highlighting the values?
Ciao.
Giuseppe
I am attaching the output and the entire search query -
The count for source (src=retailautonomyfileage) is coming as 18 instead of 6 only because it is counting all the 3 Fnames at once.
This can come in 3 separate counts for 3 Fnames.
Search query-
index="idx-stores-misc" source="C:\\TJXLogs\\Verify\\SQLLogs\\*" sourcetype="Store:SQLLogs:json" host=stp* (host="*.stp.local" OR host="*.tjxcorp.net") NOT host="stp-675*"
| rex field=host "^(?<Device>[^\.]+)\.(?<Domain>.*)$"
| rex field=source "SQLLogs.(?<src>\D+)_"
| rex field=message "job.(?<message>\w+)."
| lookup Stores_Inventory Device OUTPUT DeviceType Store Chain StoreNum
| where DeviceType="SQL" AND NOT src="sqlserveruptime" AND NOT src="ordertracking"
| eval status=if(((src="DB_Rebuild_Indexes_UpdateStats_MDM" OR src="DB_Stop_IndexRebuild_Jobs") AND (JobExecTime>39600 OR message="failed"))
OR (src="RetailAutonomyDataSync" AND (JobExecTime>21600 OR message="failed"))
OR (src="RetailAutonomyPromotionsDataSync" AND (JobExecTime>4000 OR message="failed"))
OR (src="retailautonomyfileage" AND (((Fname="mdmdat" OR Fname="omsdat") AND Age>240) OR (Fname="promodat" AND Age>120)))
OR (src="retaillineitemdup" AND Count>0)
OR (src="esbmessagecount" AND MsgCount>5),"Down","Up")
| stats count count(eval(status="Down")) AS Down latest(_time) as _time BY Device Store src host Chain StoreNum Domain
| eval Status=if(Down=count AND count>0, "0", "1")