Completely new to Splunk, and hoping to find help with a search I'm using for a dashboard, but cannot get this working.
I am using the following search to return a table of events based on the "BKSTAT" field, which I setup as a field extraction (which is basically the value of "Success" or "Failure" etc for a backup job in the "backuplogs" sourcetype and outputs to a table by host name:-
sourcetype=BackupLogs BKSTAT=Successful OR BKSTAT=Canceled OR BKSTAT=Failed
[search * | eval earliest=if(lower(strftime(now(),"%A"))="monday", "@w5", "-1d") | return earliest ]
| stats latest(BKSTAT) by host
Table Output:
Host BKSTAT
ServerA Successful
ServerB Successful
ServerC Failed
Server1 Successful (Want to include this server with logs from a different lookup date)
The above search works fine and if it runs on a Monday, it captures the log from before the weekend, otherwise it captures the log from the previous day as needed for several hosts that backup daily.
We have another server, lets call it "Server1", that has backup logs which populate the same "backuplogs" source. However this server only backs up on a Friday. I need to modify this search so events for "Server1" are always returned looking back to the previous Friday, ie earliest set to "@w5" solely for this server
You need a different earliest based on host, correct? So just use parenthesis and put a different earliest=
for each condition, host="Server1"
or NOT host="Server1"
.
sourcetype=BackupLogs
(BKSTAT="Successful" OR BKSTAT="Canceled" OR BKSTAT="Failed")
( ( earliest=@w5 AND host="Server1") OR
( [ search * | eval earliest=if(lower(strftime(now(),"%A"))="monday", "@w5", "-1d") | return earliest ] ) AND
NOT host="Server1" )
| stats latest(BKSTAT) by host
You need a different earliest based on host, correct? So just use parenthesis and put a different earliest=
for each condition, host="Server1"
or NOT host="Server1"
.
sourcetype=BackupLogs
(BKSTAT="Successful" OR BKSTAT="Canceled" OR BKSTAT="Failed")
( ( earliest=@w5 AND host="Server1") OR
( [ search * | eval earliest=if(lower(strftime(now(),"%A"))="monday", "@w5", "-1d") | return earliest ] ) AND
NOT host="Server1" )
| stats latest(BKSTAT) by host
Unfortunately I tried this code, but it returns only the daily backed up servers in the table and ignores the "Server1" host from last Fridays date completely, so its still not capturing the events for Friday for this server alongside the "-1d" lookup for the others.
Is it because its not returning the "earliest=@w5" to the result set, though its not a subsearch so shouldn't be needed? I've tried tweaking the above code but still stumped. Any further ideas?
Ok so I got this working, turns out I needed extra parentheses around the subsearch/logical AND condition, so modified as follows:
(( [ search * | eval earliest=if(lower(strftime(now(),"%A"))="monday", "@w5", "-1d") | return earliest ] ) AND NOT host="Server1" ))
So am accepting your answer DalJeanis, since the logic works. I would still like someone to chip in if they can explain why these extra parentheses are needed and how this affects the search for future reference?
@ShaunSutton - Hmmm interesting. It seems like it might be due to some vagarities of the return
verb, since the implicit format
verb should put its own parens around it.
Try this to see what the results would be...
index=*
| eval earliest=if(lower(strftime(now(),"%A"))="monday", "@w5", "-1d")
| table earliest
| format
And if that has outer parens, then try this (without the previous outer parens)
( [ search * | eval earliest=if(lower(strftime(now(),"%A"))="monday", "@w5", "-1d") | table earliest ] ) AND NOT host="Server1" )