- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- help on eval condition
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
I use the search below which works fine but I have an issue with my eval command
why i can retrieve the "No SPLUNK Agent" condition even if the splukforwarder name doesnt exists in the event?
thanks
[| inputlookup host.csv
| table host] (index=toto sourcetype="tutu" Type=Service Name="SplunkForwarder"
| fields Name host
| dedup host
| eval "SPLUNK agent status"=if(Name=="SplunkForwarder","SPLUNK Agent is present", "No SPLUNK Agent")
| stats values("SPLUNK agent status") as "SPLUNK agent status" by host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
You're explicitly filtering to Name="SplunkForwarder" Remove that from the filter (Assuming that index=toto has all the hosts that you are are looking for from host.csv)
index=toto sourcetype="tutu" Type=Service [| inputlookup host.csv
| table host]
| stats latest(Name) as Name by host
| eval "SPLUNK agent status"=if(Name=="SplunkForwarder","SPLUNK Agent is present", "No SPLUNK Agent")
| stats values("SPLUNK agent status") as "SPLUNK agent status" by host
if index=toto does not have all hosts, then I would append the file to the end.
index=toto sourcetype="tutu" Type=Service Name=="SplunkForwarder" [| inputlookup host.csv
| table host]
| dedup host
| eval "SPLUNK agent status"="SPLUNK Agent is present"
| append [| inputlookup host.csv
| eval "SPLUNK agent status"="No SPLUNK Agent"
| table host, "SPLUNK agent status"]
| stats first("SPLUNK agent status") as "SPLUNK agent status" by host
hope this helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do your "pretty" renaming at the end and use lookups the right way try this (it will be MUCH more efficient):
index="toto" AND sourcetype="tutu" AND Type="Service" AND Name="SplunkForwarder"
| rename COMMENT AS "This solution assumes that there is no field 'Name' in the 'host.csv' file"
| inputlookup append=t host.csv
| stats values(Name) AS Names dc(Name) AS NameCount BY host
| lookup host.csv host OUTPUT host AS keepme
| where isnotnull(keepme)
| fields - keepme
| eval Name = if(Name=="SplunkForwarder", "SPLUNK Agent is present", "No SPLUNK Agent")
| rename Name AS "SPLUNK agent status"
P.S. This has been solved many times including:
Meta Woot!: https://splunkbase.splunk.com/app/2949/
TrackMe: https://splunkbase.splunk.com/app/4621/,
Broken Hosts App for Splunk: https://splunkbase.splunk.com/app/3247/
Alerts for Splunk Admins ("ForwarderLevel" alerts): https://splunkbase.splunk.com/app/3796/
Splunk Security Essentials(https://docs.splunksecurityessentials.com/features/sse_data_availability/): https://splunkbase.splunk.com/app/3435/
Monitoring Console: https://docs.splunk.com/Documentation/Splunk/latest/DMC/Configureforwardermonitoring
Deployment Server: https://docs.splunk.com/Documentation/DepMon/latest/DeployDepMon/Troubleshootyourdeployment#Forwarde...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sorry but it doesnt works
message : Error in 'eval' command: The expression is malformed. An unexpected character is reached at '="SplunkForwarder", "SPLUNK Agent is present", "No SPLUNK Agent")'.
and concerning the inputlookup, i confirm there is no fields "name" in the csv
but your code doesnt match the host there is in the host.csv with the host there is an index
that the reason why I use a subsearch like this : [| inputlookup host.csv
| table host]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OOPS! That's what I get for answering on my phone without testing! I forgot the Name = part. I have re-edited my answer and it now works. And I very know understand what you were trying to do with your subsearch and that is exactly why it doesn't work. You need to BOTH merge your 2 datasets together, AND filter the one by the other. Just try the updated (now working) search; It will do exactly what you need in the most efficient way possible. Use lookups with |lookup most of the time because it is unlimited.
P.S. Thanks @to4kawa, for pitching in. You are exactly correct; that is why I had the comment in there about my presumptions about the contents of the lookup. My answer will not work if there is a Name field in the lookup file.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=toto sourcetype="tutu" Type=Service Name=*
| rename COMMENT AS "This solution assumes that there is no field 'Name' in the 'host.csv' file"
| inputlookup append=t host.csv
| stats values(Name) AS Names dc(Name) AS NameCount BY host
| eval Name=if(Name=="SplunkForwarder", "SPLUNK Agent is present", "No SPLUNK Agent")
| rename Name AS "SPLUNK agent status"
hi, @jip31
Since the argument of inputlookup is append = t , only the host recorded in csv is searched.
@woodcock ,I fixed it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
You're explicitly filtering to Name="SplunkForwarder" Remove that from the filter (Assuming that index=toto has all the hosts that you are are looking for from host.csv)
index=toto sourcetype="tutu" Type=Service [| inputlookup host.csv
| table host]
| stats latest(Name) as Name by host
| eval "SPLUNK agent status"=if(Name=="SplunkForwarder","SPLUNK Agent is present", "No SPLUNK Agent")
| stats values("SPLUNK agent status") as "SPLUNK agent status" by host
if index=toto does not have all hosts, then I would append the file to the end.
index=toto sourcetype="tutu" Type=Service Name=="SplunkForwarder" [| inputlookup host.csv
| table host]
| dedup host
| eval "SPLUNK agent status"="SPLUNK Agent is present"
| append [| inputlookup host.csv
| eval "SPLUNK agent status"="No SPLUNK Agent"
| table host, "SPLUNK agent status"]
| stats first("SPLUNK agent status") as "SPLUNK agent status" by host
hope this helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi
yes it seems to be good, I just have to put [| inputlookup host.csv
| table host] otherwise I have an issue
question : instead doing this its not possible to do something like
| eval "SPLUNK agent status"=if(Name==!"SplunkForwarder","SPLUNK Agent is present", "No SPLUNK Agent")??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @jip31 Yes you can. I just split it to make it easier to understand.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @jip31,
your search has the limit of 50,000 results in subsearches.
So I hint to change the order of your searches putting search on index as main search and inputlookup in subsearch, something like this;
index=toto sourcetype="tutu" Type=Service Name="SplunkForwarder"
| eval host=lower(host)
| stats count BY host
| append [ | inputlookup host.csv | eval host=lower(host), count=0 | fields host ]
| stats sum(count) AS Total
| where Total=0
In this way you have all the hosts that are not sending logs. and you can use this search in an alert.
In addition, maybe a search on _internal could give you the same results ( | metasearch index=_internal ) and probably is more accurate and quick.
If you like, you can also display the situation of your servers in graphic mode in a a dashboard using an approach like this:
<form script="table_icons_rangemap.js" stylesheet="table_decorations.css">
<label>Overview Servers</label>
<fieldset submitButton="false">
<input type="time" token="Time">
<label>Time</label>
<default>
<earliest>-15m</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<table id="table1">
<title>Total = $server_count$</title>
<search>
<query>
index=toto sourcetype="tutu" Type=Service Name="SplunkForwarder"
| eval host=lower(host)
| stats count BY host
| append [ | inputlookup host.csv | eval host=lower(host), count=0 | fields host ]
| stats sum(count) AS total
| rangemap field=total elevated=0-0 low=1-10000000000000000000000000 default=severe
| table host range
</query>
<earliest>$Time.earliest$</earliest>
<latest>$Time.latest$</latest>
<progress>
<set token="server_count">$job.resultCount$</set>
</progress>
<cancelled>
<unset token="server_count"></unset>
</cancelled>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</form>
You can find more infos about the way yo have graphic mode in the dashboard Table Icon Set (Rangemap) of the Splunk Dashboard Examples App ( https://splunkbase.splunk.com/app/1603/ ) where it's described how to use js and css and which ones to use.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,You are searching only for Name is SplunkForwarder in the second line
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
