Splunk Search

How to return events from a different time range dependent upon field value?

ShaunSutton
New Member

Completely new to Splunk, and hoping to find help with a search I'm using for a dashboard, but cannot get this working.

I am using the following search to return a table of events based on the "BKSTAT" field, which I setup as a field extraction (which is basically the value of "Success" or "Failure" etc for a backup job in the "backuplogs" sourcetype and outputs to a table by host name:-

sourcetype=BackupLogs BKSTAT=Successful OR BKSTAT=Canceled OR BKSTAT=Failed 
[search * | eval earliest=if(lower(strftime(now(),"%A"))="monday", "@w5", "-1d") | return earliest ] 
| stats latest(BKSTAT) by host

Table Output:

Host                    BKSTAT
ServerA                 Successful
ServerB                 Successful
ServerC                 Failed
Server1                 Successful     (Want to include this server with logs from a different lookup date)

The above search works fine and if it runs on a Monday, it captures the log from before the weekend, otherwise it captures the log from the previous day as needed for several hosts that backup daily.

We have another server, lets call it "Server1", that has backup logs which populate the same "backuplogs" source. However this server only backs up on a Friday. I need to modify this search so events for "Server1" are always returned looking back to the previous Friday, ie earliest set to "@w5" solely for this server

Is there anyway to incorporate this servers events in the table as per example above alongside the existing search, but specifying the different time range lookup for just this host?

0 Karma
1 Solution

DalJeanis
SplunkTrust
SplunkTrust

You need a different earliest based on host, correct? So just use parenthesis and put a different earliest= for each condition, host="Server1" or NOT host="Server1".

sourcetype=BackupLogs 
(BKSTAT="Successful" OR BKSTAT="Canceled" OR BKSTAT="Failed")
( (  earliest=@w5 AND host="Server1") OR 
( [ search * | eval earliest=if(lower(strftime(now(),"%A"))="monday", "@w5", "-1d") | return earliest ] ) AND 
 NOT host="Server1"  )
 | stats latest(BKSTAT) by host

View solution in original post

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

You need a different earliest based on host, correct? So just use parenthesis and put a different earliest= for each condition, host="Server1" or NOT host="Server1".

sourcetype=BackupLogs 
(BKSTAT="Successful" OR BKSTAT="Canceled" OR BKSTAT="Failed")
( (  earliest=@w5 AND host="Server1") OR 
( [ search * | eval earliest=if(lower(strftime(now(),"%A"))="monday", "@w5", "-1d") | return earliest ] ) AND 
 NOT host="Server1"  )
 | stats latest(BKSTAT) by host
0 Karma

ShaunSutton
New Member

Unfortunately I tried this code, but it returns only the daily backed up servers in the table and ignores the "Server1" host from last Fridays date completely, so its still not capturing the events for Friday for this server alongside the "-1d" lookup for the others.

Is it because its not returning the "earliest=@w5" to the result set, though its not a subsearch so shouldn't be needed? I've tried tweaking the above code but still stumped. Any further ideas?

0 Karma

ShaunSutton
New Member

Ok so I got this working, turns out I needed extra parentheses around the subsearch/logical AND condition, so modified as follows:

(( [ search * | eval earliest=if(lower(strftime(now(),"%A"))="monday", "@w5", "-1d") | return earliest ] ) AND NOT host="Server1"  ))

So am accepting your answer DalJeanis, since the logic works. I would still like someone to chip in if they can explain why these extra parentheses are needed and how this affects the search for future reference?

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

@ShaunSutton - Hmmm interesting. It seems like it might be due to some vagarities of the return verb, since the implicit format verb should put its own parens around it.

Try this to see what the results would be...

index=* 
| eval earliest=if(lower(strftime(now(),"%A"))="monday", "@w5", "-1d") 
| table earliest 
| format

And if that has outer parens, then try this (without the previous outer parens)

( [ search * | eval earliest=if(lower(strftime(now(),"%A"))="monday", "@w5", "-1d") | table earliest ] ) AND NOT host="Server1"  )
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...