Splunk Enterprise

Need to put out a NOK or OK from reaching timestamp

krispost
New Member

index=mysearch
| eval watchdog_time=_time
| stats count by watchdog_time,date_hour
| convert timeformat="%Y-%m-%d %H:%M" ctime(watchdog_time)
| eval watchdog_value*=(count=1 AND date_hour<"8","OK","NOK"*

| eval watchdog=if(isnull(watchdog_value),"NOK","OK")

| convert timeformat="%Y-%m-%d %H:%M" ctime(Date) | table Date, watchdog, watchdog_time

| outputlookup slaamlt.csv append=true
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
I am trying to reach an Output like this:

Date watchdog watchdog_time

2017-12-06 12:32 OK 2017-12-06 05:41

2017-12-06 12:32 NOK 2017-12-06 08:23

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
but I allways get this Output:
Date watchdog watchdog_time

2017-12-06 12:32 OK 2017-12-06 05:41

*2017-12-06 12:32 OK 2017-12-06 08:23 *

It just Counts if there is an entry or not, but I Need to know how i can get the function to proof if the file is coming before 8am then is OK, but when the file comes after 8am then is NOK.

Thank you for helping me!

Tags (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The watchdog_value field is never null because it is always set to either "OK" or "NOK". Therefore, the isnull test always fails so the watchdog field will always be "OK". Skip the intermediate eval and it should work. Try this

index=mysearch
| eval watchdog_time=_time
| stats count by watchdog_time,date_hour
| convert timeformat="%Y-%m-%d %H:%M" ctime(watchdog_time)
| eval watchdog=if(count=1 AND date_hour<"8","OK","NOK")
| convert timeformat="%Y-%m-%d %H:%M" ctime(Date) | table Date, watchdog, watchdog_time 
| outputlookup slaamlt.csv append=true
---
If this reply helps you, Karma would be appreciated.

View solution in original post

harsmarvania57
SplunkTrust
SplunkTrust

Hi @krispost,

When you are using | eval watchdog_value=if(count=1 AND date_hour<"8","OK","NOK") in your query it is always assigning values(OK or NOK) to watchdog_value fields but after that | eval watchdog=if(isnull(watchdog_value),"NOK","OK") is matching that whether watchdog_valueis null or not but watchdog_value will be never NULL so it condition always will be false which gives OK in watchdog everytime.

Just remove this line | eval watchdog=if(isnull(watchdog_value),"NOK","OK") from your query and change table to | table Date, watchdog_value, watchdog_time and you will get correct result.

0 Karma

krispost
New Member

copy that! thnx at all!!

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Oops I didn't see that @richgalloway already answered. 🙂

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The watchdog_value field is never null because it is always set to either "OK" or "NOK". Therefore, the isnull test always fails so the watchdog field will always be "OK". Skip the intermediate eval and it should work. Try this

index=mysearch
| eval watchdog_time=_time
| stats count by watchdog_time,date_hour
| convert timeformat="%Y-%m-%d %H:%M" ctime(watchdog_time)
| eval watchdog=if(count=1 AND date_hour<"8","OK","NOK")
| convert timeformat="%Y-%m-%d %H:%M" ctime(Date) | table Date, watchdog, watchdog_time 
| outputlookup slaamlt.csv append=true
---
If this reply helps you, Karma would be appreciated.

krispost
New Member

ooohh man! it was soooo easy!! but anyway, thank you so much..
best regards

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If your problem is resolved, please accept the answer.

---
If this reply helps you, Karma would be appreciated.
0 Karma

krispost
New Member

Hi richgalloway.. No, it's not fully done. I have the issue now, that when I didn't got an timestamp entry, then there are neither a NOK nor an OK... Can do you have a clue why?

0 Karma

krispost
New Member

hi richgalloway

thank you for your efforts. How I shall accept the answer?
for me it's done! i just have the issue, that the empty delivered tables are not put out a NOK, but this is another prob.

best regards

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...