Splunk Search

eval returning null value for a looked up field

ffrig
New Member

I have a query which I need to chart with an overlay with a static baseline figure (maxiops) which is retrieved by looking up a couple of fields in a csv file (DISKTYPE and SPEED). This returns MAX_IOPS.

I'm using 6.1 and thought this would be nice and easy, but it appears that MAX_IOPS is being treated as NULL so I cannot plot the line. If I hardcode maxiops=75 etc it works.

Any ideas how I can use the MAX_IOPS field for plotting the static line? The value is not dependent on the number of disks (PDID) returned. It's just based on DISKTYPE and SPEED.

index=ssa source="dbmon-tail://3Par-System-Reporter/statpd_hires" 3par_array_name=f400xlt01 DISKTYPE=NL SPEED=* PDID=17 OR PDID=18 | eval total_iops=(((d_rcount + d_wcount) * 1000000)/d_now_msec) | eval read_iops=((d_rcount * 1000000)/d_now_msec) | eval write_iops=((d_wcount * 1000000)/d_now_msec) | timechart span=1m max(read_iops) as "Read IOPs", max(write_iops) as "Write IOPs" by PDID | eval maxiops=if(isnull(MAX_IOPS),"yes","no")

Many thanks!

Tags (3)
0 Karma

MuS
SplunkTrust
SplunkTrust

Hi ffrig,

I not sure if i understand it completely, but what I see is that you set maxiops with the last eval to either yes or no and this cannot be charted in timechart.....

maybe you should try something like this as last eval:

 eval maxiops=if(isnull(MAX_IOPS), "75", MAX_IOPS)

this will set maxiops to either the value of MAX_IOPS or if the field is empty to 75. Or this one:

 eval myMaxIOPS="75" | eval maxiops=coalesce(MAX_IOPS, myMaxIOPS)

this will set a new field first and use in the second eval either MAX_IOPS if it exists or myMaxIOPS.

cheers, MuS

0 Karma

ffrig
New Member

Thanks. I only get one MAX_IOPS but per PDID returned.
I can't set just one in the lookup as FC and NL types have different values. I need to select one of these based on what someone sets on the dashboard.

Basically I just need the lookup value based on what someone selects for DISKTYPE and SPEED and plot that independently of anything else. As I'm trying to overlay this on the chart, I don't think that's possible?

I suppose I could do it with one massive if statement instead of the lookup but that kind of defeats the object :>(

0 Karma

MuS
SplunkTrust
SplunkTrust

Yes, your timechart is by or per PDID. Since you have three different MAX_IOPS in your lookup you will get back three different values. If you only need one either set only one in the lookup or do it like you did in the beginning and set it 'static' using eval.

0 Karma

ffrig
New Member

Hi MuS

That works but I get a MAX_IOPS per PDID which isn't what I need. I just need one MAX_IOPS for all PDIDs.

0 Karma

MuS
SplunkTrust
SplunkTrust

facepalm your MAX_IOPS field is 'gone' after the timechart! Add is like max(MAX_IOPS) AS MAX_IOPS to the timechart and you should be fine ....

0 Karma

ffrig
New Member

index=ssa source="dbmon-tail://3Par-System-Reporter/statpd_hires" 3par_array_name=v400xlt01 | table DISKTYPE SPEED MAX_IOPS

returns MAX_IOPS as 75, 150, 200 depending on the search criteria so that looks fine.

0 Karma

ffrig
New Member

The problem is that MAX_IOPS is NULL and I can't see why it is.

The value is retrieved via a lookup:

~props.conf:
LOOKUP-ssa-3par-iops = ssa-3par-performance DISKTYPE SPEED OUTPUTNEW MAX_IOPS MAX_MBS

~transforms.conf:
[ssa-3par-performance]
filename = ssa_3par_iops.csv

[root@vspindexlt03 local]# cat ../lookups/ssa_3par_iops.csv
DISKTYPE,SPEED,MAX_IOPS,MAX_MBS
NL,7,75,30
FC,10,150,45
FC,15,200,45

This is working as I see it in the events, but I get a NULL for MAX_IOPS when charting with:

index=ssa source="dbmon-tail://3Par-System-Reporter/statpd_hires" 3par_array_name=f400xlt01 DISKTYPE=NL SPEED=* PDID=17 OR PDID=18 | eval total_iops=(((d_rcount + d_wcount) * 1000000)/d_now_msec) | eval read_iops=((d_rcount * 1000000)/d_now_msec) | eval write_iops=((d_wcount * 1000000)/d_now_msec) | timechart span=1m max(read_iops) as "Read IOPs", max(write_iops) as "Write IOPs" by PDID | eval maxiops=if(isnull(MAX_IOPS),"75",MAX_IOPS)

0 Karma

MuS
SplunkTrust
SplunkTrust

so you got a field named MAX_IOPS which contains numeric values?

0 Karma

ffrig
New Member

Thanks MuS. I'll try your suggestions.

The last eval "isnull" part was just to show that it's been set to null. I should have taken that out I suppose!

I don't understand why MAX_IOPS is NULL though?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...