- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to create a new Boolean field from the lookup ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to create a new Boolean field from the lookup result of two fields of two searches?
My scenario is thus:
The main search searches for a pattern in a sourcefile:
source="/apps.log" index=idx "abc" | xmlkv | Search TransactionStatus=Complete |table _time SerialNumber
It then looks up the SerialNo field in another search result, say:
search source="/apps.log" index=idx "edf" | xmlkv | search CoverageCd=Done |table SerialNo
If the SerialNumber in the main search is found the in the SerialNo in the subsearch, then I need to create a new Boolean field called Found and set it to True, for all those events that are found in the subsearch, the field is set to False.
I can easily offload the data to Python dataframes and achieve this but really need to do it within Splunk for online efficiency.
Could anyone help on this?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
source="/apps.log" index=idx "abc" OR "edf" | xmlkv
| eval comboSerial=coalesce(SerialNo, SerialNumber)
| eventstats count(eval(searchmatch("edf AND CoverageCd=Done"))) AS Found BY comboSerial
| search "abc" AND TransactionStatus="Complete"
| table _time SerialNumber Found
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk reports:
Error in 'eventstats' command: The eval expression for dynamic field 'eval(searchmatch("abc" AND CoverageCd="Done"))' is invalid. Error='Typechecking failed. 'AND' only takes boolean arguments.'
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I forgot an end-parenthesis; I edited and fixed it. Try it again.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The parenthesis are matched, but the error message is still the same. The searchmatch only accepts "edf AND Done" like argument.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are correct; too many double-quotes. I fixed it AND tested it this time!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
source="/apps.log" index=idx "abc" OR "edf"
| xmlkv
| search TransactionStatus=Complete OR CoverageCd=Done
| eval Found=if(SerialNumber=SerialNo,"True","False")
| table _time SerialNumber SerialNo Found
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This does not work as the two search results have different structures. The results of
source="/apps.log" index=idx "abc" OR "edf" | xmlkv | search TransactionStatus=Complete OR CoverageCd=Done |table SerialNumber SerialNo
looks like:
SerialNumber SerialNo
ADH001
........... ADH001
ADH002
ADH003
........... ADH003
etc.
as they are in different events, they never get matched with each other.
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
