Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Error when using eval in a range

markthompson
Builder
‎10-15-2014 02:57 AM

Hi,
i have the following search query:

index=project_omega host=PersistUBS | transaction startswith="Targeting file BP_Comp_Summ_Pos*" endswith="Server returned an error: No such file or folder" OR "The file was downloaded successfully." | search "Error" OR "Attempt 3...unsuccessful."  | eval interval=relative_time(_time,"@d") | eval isFailure=if(searchmatch("Error") OR searchmatch("Attempt 3...unsuccessful."),1,0) | stats sum(isFailure) as failures | rangemap field=failures low=0-0 elevated=1-2 severe=3-15 default=15

But it's showing as N/A instead of a number, please can someone suggest why this is?

Tags (4)
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
Legend
‎10-17-2014 04:57 AM

Hi markthompson,

based on @martin_mueller 's answer and my comment, I did some research and tests, how this could be done without use of a sub search. It took a while, but here is what you can try and it should handle the case when there are no events at all during the search time range:

index=project_omega host=PersistUBS 
| transaction startswith="Targeting file BP_Comp_Summ_Pos*" endswith="Server returned an error: No such file or folder" OR "The file was downloaded successfully." 
| search "Error" OR "Attempt 3...unsuccessful."  
| eval isFailure=if(searchmatch("Error") OR searchmatch("Attempt 3...unsuccessful."),1,0) 
| stats count AS myCount sum(isFailure) as failures 
| eval failure=if(myCount=="0",0,failure)
| rangemap field=failures low=0-0 elevated=1-2 severe=3-15 default=15

hope this helps ...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
Legend
‎10-17-2014 04:57 AM

Hi markthompson,

based on @martin_mueller 's answer and my comment, I did some research and tests, how this could be done without use of a sub search. It took a while, but here is what you can try and it should handle the case when there are no events at all during the search time range:

index=project_omega host=PersistUBS 
| transaction startswith="Targeting file BP_Comp_Summ_Pos*" endswith="Server returned an error: No such file or folder" OR "The file was downloaded successfully." 
| search "Error" OR "Attempt 3...unsuccessful."  
| eval isFailure=if(searchmatch("Error") OR searchmatch("Attempt 3...unsuccessful."),1,0) 
| stats count AS myCount sum(isFailure) as failures 
| eval failure=if(myCount=="0",0,failure)
| rangemap field=failures low=0-0 elevated=1-2 severe=3-15 default=15

hope this helps ...

cheers, MuS

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎10-16-2014 04:05 AM

The sum of "nothing" is not zero, it's "nothing" or rather null. To fix that, you could include this before the stats:

... | eval isFailure=... | append [stats count | eval isFailure=0] | stats sum(isFailure) as failures | ...

That'll make sure there always is at least one zero to sum up, guaranteeing a numeric sum.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎10-16-2014 06:16 AM

Post it here and let the world be your critic?

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎10-16-2014 04:15 AM

When there are zero events that eval would be run zero times 😛

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎10-16-2014 05:27 AM

btw, just found a way to do this without append and it works with or without finding results. If it's okay I'll mail you the search so you can verify this twisted search 🙂

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎10-16-2014 04:18 AM

true .. 🙂

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎10-16-2014 04:14 AM

Just asking: why not a simple isnull eval instead of the appended subsearch?

...| eval isFailure=if(isnull(isFailure),"0",isFailure) | ...
0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎10-15-2014 01:10 PM

Make sure you set the default range to something other than 15, probably default=critical or something like that.

Also note you're calculating an interval field but not using it.

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎10-15-2014 04:39 AM

Hi markthompson,

what will happen if you try something like this:

index=project_omega host=PersistUBS 
| transaction startswith="Targeting file BP_Comp_Summ_Pos*" endswith="Server returned an error: No such file or folder" OR "The file was downloaded successfully." 
| search "Error" OR "Attempt 3...unsuccessful."  
| eval interval=relative_time(_time,"@d") 
| eval isFailure=if(searchmatch("Error") OR searchmatch("Attempt 3...unsuccessful."),1,0) 
| stats sum(isFailure) as failures 
| eval failuresCategory = case(failures=0,"low",failures<3,"elevated",failures>=3,"severe")
| table failuresCategory

Maybe this will help you to get to the point.

cheers, MuS

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎10-16-2014 03:44 AM

Doesn't sound like a rangemap issue, this is the value showing N/A rather than the colour, right?

Make sure there actually are matching events in the time range to have something to sum up.

0 Karma
Reply
Solved! Jump to solution

markthompson
Builder
‎10-16-2014 04:02 AM

There are no events in Today that have failed, so it should default to low (green). Any ideas why it's not doing so?

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎10-16-2014 03:08 AM

Basically what @MuS said:

...  | eval range = case(failures=0,"low",failures<3,"elevated",failures>=3,"severe")
0 Karma
Reply
Solved! Jump to solution

markthompson
Builder
‎10-16-2014 03:13 AM

I've tried this and then it still says N/A on my dashboard.

Current string:

 index=project_omega host=PersistUBS | transaction startswith="Targeting file BP_Comp_Summ_Pos*" endswith="Server returned an error: No such file or folder" OR "The file was downloaded successfully."  | search "Error" OR "Attempt 3...unsuccessful."  
 | eval interval=relative_time(_time,"@d") 
 | eval isFailure=if(searchmatch("Error") OR searchmatch("Attempt 3...unsuccessful."),1,0) 
 | stats sum(isFailure) as failures 
 | eval failuresCategory = case(failures=0,"low",failures<3,"elevated",failures>=3,"severe")
 | eval range = case(failures=0,"low",failures<3,"elevated",failures>=3,"severe")
0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎10-16-2014 02:52 AM

Use eval to compute a field called range using the case suggested by @MuS and you'll have the same behaviour as rangemap, including dashboard visualizations using the field value as a CSS class.

0 Karma
Reply
Solved! Jump to solution

markthompson
Builder
‎10-16-2014 03:02 AM

Hey Martin, can you please give me an example of the string you would use and I'll mark it as answer if it works.

0 Karma
Reply
Solved! Jump to solution

markthompson
Builder
‎10-16-2014 02:38 AM

Hi MuS Thanks for this answer.
However, I wish to use the rangemap command as it's configured on the dashboard to create a traffic light based on the level (low, elevated or severe)

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...