- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to use multiple where conditions in a search t...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Working with the following:
EventStarts.txt
UserID, Start Date, Start Time
SpecialEventStarts.txt
UserID, Start Date, Start Time
EventEnds.txt
UserID, Start Date, End Time
SpecialEventEnds.txt
UserID, Start Date, End Time
I have to match up the starts with the appropriate ends. So far I know how to extract the required data, but I don't know how to do it for the start and end so as to match them up. I believe I have to use a where condition. This is my thinking...
x = "EventStarts.txt" OR "SpecialEventStarts.txt" OR "EventEnds.txt" OR "SpecialEventEnds.txt"
| where x = EventStarts.txt
| do what I want you to do
| where x = SpecialEventStarts.txt
| do what I want you to do
| where x = EventEnds.txt
| #do what I want you to do
| where x = SpecialEventEnds.txt
| do what I want you to do
How do I know when the where condition stops???
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You have not specified what you are really trying to do so we have to guess quite a bit but, assuming that you have forwarded in these events from files, you can do something like this and maybe this gets you far enough along to finish it for yourself:
index=* source="*EventStarts.txt" OR source="*SpecialEventStarts.txt" OR source="*EventEnds.txt" OR source="*SpecialEventEnds.txt" | eval special=if(like(source, "%Special%"), "Special", "Normal") | stats values(*) AS * by user special
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You have not specified what you are really trying to do so we have to guess quite a bit but, assuming that you have forwarded in these events from files, you can do something like this and maybe this gets you far enough along to finish it for yourself:
index=* source="*EventStarts.txt" OR source="*SpecialEventStarts.txt" OR source="*EventEnds.txt" OR source="*SpecialEventEnds.txt" | eval special=if(like(source, "%Special%"), "Special", "Normal") | stats values(*) AS * by user special
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
eval special=if(like(source, "%Special%"), "Special", "Normal")
OK. Woodcock I'm thinking instead of a where condition I can use the if condition to determine the sourcetype. Sort of a similar problem though. I understand that the "Special" portion of the above line represents the executable if the if equals true and the "Normal" is the else. How do I perform multiple lines of executables when the if equals to true?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unfortunately, you have to stack more | eval x=if() clauses into the pipeline. There may be more tricky options but I would need to know exactly what you are trying to do.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok. Thanks I appreciate your help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am assuming that for EventEnds.txt and SpecialEventEnds.txt you actually have End Date and not Start Date, right?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's right. My plan to match them up is to use the Start and End Dates. So to do this in the code I was thinking I'd need to use the Where function to execute lines of code only for a specific sourcetype and then move on to the next.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It depends on "do what I want you to do" whether it can be achieved by simple where clause or using transaction OR other commands. Could you provide more details on what you want to do here, how the Start and End will be correlated etc?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In the "do what I want you to do" I plan on identifying the date/time of the records and match them up chronologically.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you getting these events by forwarding them in (monitoring the files) or by using inputlookup (or inputcsv)? If the former, which date are you using for your timestamp ( _time )?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I uploaded CSVs to test it out but the idea is to get these events from monitoring files.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is likely a use case for transaction command.
http://docs.splunk.com/Documentation/Splunk/6.3.0/SearchReference/Transaction
something along the lines of
base search | transaction startswith=EventStarts.txt endswith=EventEnds.txt
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
