- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- If event X then event Y occurred Return no results...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If event X then event Y occurred Return no results, If just X occured return results
I am trying to perform a search to return only results that are "Broke". Broke means Event 7000 with a specific Message, happened and there has not been a reboot since.
If it's "fine", Event 7000 happens, but so did another event, like 1074 (ID for event starting) for instance. I'm evaluating this in the original results. However, when I search for my "fine" results, I get none returned even though there should be more than 300 results. This led me to think that my "Broke" results are not accurate, but they are.
Can you please guide me on what I'm doing wrong?
host = "something" source="WinEventLog:*" (EventCode=7000 AND Message="*notimportant*")
| regex host="S[0-9][0-9][0-9][0-9]01[0-9][1-9]"
| dedup host
|eval status=if((EventCODE== 7000 AND Message=="*notimportantt*" AND EventCode==6005) OR (EventCode==7000 AND Message=="*notimportant*"), "fine", "Broke")
|stats latest(status) as current_status latest(EventTime) as LastEvent by host
| Where current_status=="fine"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your mistake is here:
|eval status=if((EventCODE== 7000 AND Message=="*notimportantt*" AND EventCode==6005) OR (EventCode==7000 AND Message=="*notimportant*"), "fine", "Broke")
Notice that you have EventCODE== 7000 AND ... AND EventCode==6005 which can never be true. I am not sure what the logic is supposed to be, but this cannot be correct because it will always be false.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First, since your base search tests for (EventCode=7000 AND Message="notimportant"), you don't have to ever test for that again.
Second, deduping on host means you will never ever get two events for a host. So, every event at that point will be the latest status.
Third, you are testing for EventCODE and for EventCode. It doesn't' matter, because in that search EventCode will always be 7000, so the result will always be "fine" in that code.
Try doing something like this pseudocode...
(your search that finds any events that shows it is broken)
OR
(your search that finds any events that means it is fine)
| dedup host
| eval status = if(the status you detected is broken, "broken", "fine")
| where status="broken"
Note that dedup will accept the first record it encounters for each host, and that splunk naturally returns events with the most recent events first. If you do anything to manipulate record order, make sure that dedup happens when you have sorted the ones you want to be first.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just taking a different approach to the problem:
I'd use a transaction to tie event X to event Y and then search for transactions that have a line count of 1. Those that are 1 are then the broken ones. Yes, that involves using transactions which many people don't like very much, but I find them incredibly useful for things like this. The logic is easy to get right.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
