Installation

Splunk DB Connect 1: Why is HTTPStatus not returning a value while using an eval field pulled from a database connection?

mbuschle
Explorer

I'm running into an issue with httpstatus not returning a value while using an eval field pulled from a database connection. I have a database that contains a list of Web Servers. My goal is to pull this list and use an eval statement to concatenate the server name into a url field. I will then pass that url into httpstatus.

My issue is that when I create this field and pass it to httpstatus, the command returns no information. It doesn't return a 0, which would be an error, it just doesn't return a status at all. Below is the search I'm using.

|dbquery "database" "SELECT SERVER FROM DLVRYIMPL_VE_DEVICE WHERE ISONLINE = 1 AND ROWNUM = 1" | eval url="http://".SERVER. ":80/userdata/_qc_/_qc_/e8/e858eb10-4fea-43e8-89cc-87cb0d531d53/qumu_48b4c6fd644e41e395e8c51b962fdc01Med.mp4?origin=10.10.10.10:80;server2:80" | httpstatus | table url, httpstatus

I've confirmed that the url I've created is valid and that it does work. If I copy the url I've created directly from the results and paste it into a eval field directly (not using the concatenation), httpstatus will return a result of 200. That search can be found below.

 | eval url="http://server:80/userdata/_qc_/_qc_/e8/e858eb10-4fea-43e8-89cc-87cb0d531d53/qumu_48b4c6fd644e41e395e8c51b962fdc01Med.mp4?origin=10.10.10.10:80;server2:80" | dedup url | httpstatus | table url, httpstatus

It appears to me that Splunk may not be passing the concatenated field in as text, but I can't determine a good way to troubleshoot that. Also, I should note that I've had to modify the httpstatus.py file to allow it to work within my internal environment. However, I've also tested with the original script and the results are identical.

Any help in troubleshooting this issue would be appreciated.

0 Karma
1 Solution

sideview
SplunkTrust
SplunkTrust

The answer is really weird it looks like. Reading its python source, httpstatus command for some reason is only written to do the work if there happens to be a field called "_raw". So I would try this.

|dbquery "database" "SELECT SERVER FROM DLVRYIMPL_VE_DEVICE WHERE ISONLINE = 1 AND ROWNUM = 1" | eval url="http://".SERVER. ":80/userdata/qc/qc/e8/e858eb10-4fea-43e8-89cc-87cb0d531d53/qumu_48b4c6fd644e41e395e8c51b962fdc01Med.mp4?origin=10.10.10.10:80;server2:80" | eval _raw="silly_httpstatus_workaround" | httpstatus | table url, httpstatus

View solution in original post

sideview
SplunkTrust
SplunkTrust

The answer is really weird it looks like. Reading its python source, httpstatus command for some reason is only written to do the work if there happens to be a field called "_raw". So I would try this.

|dbquery "database" "SELECT SERVER FROM DLVRYIMPL_VE_DEVICE WHERE ISONLINE = 1 AND ROWNUM = 1" | eval url="http://".SERVER. ":80/userdata/qc/qc/e8/e858eb10-4fea-43e8-89cc-87cb0d531d53/qumu_48b4c6fd644e41e395e8c51b962fdc01Med.mp4?origin=10.10.10.10:80;server2:80" | eval _raw="silly_httpstatus_workaround" | httpstatus | table url, httpstatus

mbuschle
Explorer

You are correct, it does look weird but it also works. Thanks for the help. Maybe Nimish will see this question and be able to shed some light on why we need to have the _raw field.

0 Karma

sideview
SplunkTrust
SplunkTrust

My first thought is that maybe the SERVER value coming out of dbquery has a trailing or leading space character but it sounds like you've ruled that out. And one very long longshot, is to try putting | nomv SERVER right after the dbquery command.

0 Karma

mbuschle
Explorer

Yes, I did think of the leading or trailing space, and have made sure to eliminate any but that didn't seem to be a problem. Also, I did just try the | nomv Server, but that also didn't make any difference. Thanks for the ideas.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...