I'm getting lost while trying something simple.
I would like to: per host, per 2-minute span, search all ARGS (field name) for "zebra". If in that 2-minute span, "zebra" appears in the ARGS field, set zebrapres=True. If in that 2-minute span, "zebra" does not appear in any ARGS fields, set zebrapres=False.
Where I am screwing up conditional logic is that there are plenty of ARGS per host where "zebra" doesn't show, even though that host has other ARGS which DO contain "zebra", so my search ends up setting unintended zebrapres=False.
Thank you.
Try something like this
your base search | eval zebrapres=if(like(ARGS,"%zebra%"),"True","False") | bucket span=2m _time | eventstats values(zebrapres) as zebrapres by _time | eval zebrapres=if(isnotnull(mvfind(zebrapres,"zebra")),"true","false")
I guess I found the issue with my query. try this
your base search | eval zebrapres=if(like(ARGS,"%zebra%"),"true","false")| bucket span=2m _time | eventstats values(zebrapres) as zebrapres by _time | eval zebrapres=if(isnotnull(mvfind(zebrapres,"true")),"true","false")
How about you try this.
your base search | bucket span=2m _time | stats count by ARGS, host, _time | eval zebrapres=if(like(ARGS,"%zebra%"),"true","false") | stats values(zebrapres) as zebrapres by host,_time | eval zebrapres=if(isnotnull(mvfind(zebrapres,"true")),"true","false")
Dang! Still no joy. On a network with 128 hosts, the full search tells me that all of them are False for zebra. For "base search... |stats dc(host)", I get 128 hosts. For "base search... | eval zebrapres=if(like(ARGS,"%zebra%"),"true","false")| stats dc(host) by zebrapres", I get false:128 and true:58. By this point in the search string, I don't even understand how I am getting "false:128", when your eval seems like it should be enough to split my true/false zebrapres hosts on its own. I R CUNFZD
I made changes to line 1 (after my previous comment) earlier there was mismatch in the value set in zebrapress in line 1 and value being searched in mvfind command.
I may have submitted my comment before I was done, so give and take. Thanks for the continued tries, though!
I may have been so stupid doing silly mistake. I just updated second answer, give that a try.
somesoni2, I see your change. I tried the new search, and I still get only false results by the end.
For my hosts (130 hosts of varying zebrapres), the following nets me 130 false, and 58 True. The true count is correct.
your base search | eval zebrapres=if(like(ARGS,"%zebra%"),"True","False")|
can you give updated answer a try ?
somesoni, thanks for the try, but unfortunately, zebrapres only ever returns as false.