Splunk Search

Implementing condition in search

zacksoft
Contributor

This is the algorithm of my query. Could someone help me in constructing it.

If (A happens)
{
Then ( Execute B Query)
{
}

"Here A is a query like Host=A OR B, error_happened"
"B is a query like Host=A OR B, usage
Show in stats/chart, if 'apple' and 'error' found'
if 'orange' and 'error' found
if 'grape' and 'error 'found'"
Apple/Orange/Grape/Error/Error_happened are not Splunk fields they are just some string/keyword in events.
And B query should only execute if A query return any events/lines. If A query returns no events/lines then B shouldn't execute.

0 Karma

jplumsdaine22
Influencer

You could use a subsearch, and return null if your condition is unmet. Like this:

[search host=fruitbasket rotten  
| stats count 
| eval search=if(count>0,"bad AND (orange OR apple)",null) 
| fields search 
| format "" "" "" "" "" "" ]
0 Karma

zacksoft
Contributor

Thanks , I was looking something exactly like this.. a subsearch kind of thing..

In #4 you have said "fieds search". What does this line do ?
And what about #5 | format "" "" <-- does it mean to format the output ?

Would this give the count (timechart) type stating how many events we had with( apple AND bad) & (Orange AND bad) ?

0 Karma

jplumsdaine22
Influencer

So this subsearch will return a value based on whether or not it discovers events that match host=fruitbasket rotten . If there are events it will return bad AND (orange OR apple). If there are no events it will return NOT OR ()

NOT OR () evaluates to null, so the outer search will return zero events. If you want a timechart as well, then throw a timechart command after the search like so

[search host=fruitbasket rotten  
| stats count 
| eval search=if(count>0,"bad AND (orange OR apple)",null) 
| fields search 
| format "" "" "" "" "" "" ]
| timechart count

For more information on wha the fields search and format mean have a look at the subsearch documentation http://docs.splunk.com/Documentation/Splunk/latest/Search/Aboutsubsearches

0 Karma

jplumsdaine22
Influencer

Also if this answers your question don't forget to mark the answer as accepted!

Cheers

0 Karma

zacksoft
Contributor

The query runs without any error however It doesn't return any events. seems like it isn't finding the keywords error/orange/apple to search. I put double quote around it , but the expression gets malformed. This is to be noted that error/orange/apple are not splunk fields , but just some words found in events..

0 Karma

jplumsdaine22
Influencer

Which query returns no events? host=fruitbasket rotten or bad AND (orange OR apple)

0 Karma

zacksoft
Contributor

bad AND (orange OR apple)

0 Karma

jplumsdaine22
Influencer

I'm a bit confused - If you do a query for bad AND (orange OR apple) on its own (without all the subsearch bit) do you get any results? If you get none then the problem is that you have no data, not that the search is being malformed.

If you think the eval is failing, try this on its own:

|makeresults
| eval search="bad AND (orange OR apple)"
| fields search 
| format "" "" "" "" "" ""

That's what will get sent to the main search if your condition is true

0 Karma

zacksoft
Contributor

[search host="RAone*.jxa.com" OR host="RATwo*.jxa.com" source="/apps/BSA/data/log/bolly-*" Rotten
| stats count
| eval search=if(count>0,""error" AND ("apple" OR "orange")",null) )
| fields search
| format "" "" "" "" "" ""
| timechart count ]

When I run the queried individually (with out nesting in subserach it gives results.
But when i run them together like above I get the error "Error in 'eval' command: The expression is malformed. Expected )."

Just so as you know, rotten;error;apple;orange etc..are words found in logs, they are not Splunk fields.

0 Karma

mayurr98
Super Champion

you have to use eval(if) in conjunction with like() on _raw data

Refer this link, you will get an idea.
http://docs.splunk.com/Documentation/Splunk/7.0.1/SearchReference/ConditionalFunctions#like.28TEXT.2...

let me know if it helps!

0 Karma

zacksoft
Contributor

Could you give me a psuedo-query using eval(if) and like/_raw ; A skeleton model query to have an idea how it should be .

0 Karma

zacksoft
Contributor

eval (Host=A OR B, usage
Show in stats/chart, if 'apple' and 'error' found'
if 'orange' and 'error' found
if 'grape' and 'error 'found'"
| stats count by usage) IF (Host=A OR B, "error_happened")

i.e. eval B IF (A happens).

Is this how it should be composed ?

0 Karma

mayurr98
Super Champion

I am not getting what do you want.
Can you please provide some sample input data and also tell us what output do you want?

0 Karma

zacksoft
Contributor

Let me put it in another way,

If (Host = "fruitbasket" "rotten")
Then search ("apple" AND "bad") and ("orange" AND "bad")
and show it in some stats.

What I mean here is, if the initial search (Host = "fruitbasket" "rotten") returns any result then I want to search for events containing keywords ("apple" AND "bad") and ("orange" AND "bad")..etc.

Hope I am clear enough.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...