I'm running into an issue with httpstatus not returning a value while using an eval field pulled from a database connection. I have a database that contains a list of Web Servers. My goal is to pull this list and use an eval statement to concatenate the server name into a url field. I will then pass that url into httpstatus.
My issue is that when I create this field and pass it to httpstatus, the command returns no information. It doesn't return a 0, which would be an error, it just doesn't return a status at all. Below is the search I'm using.
|dbquery "database" "SELECT SERVER FROM DLVRYIMPL_VE_DEVICE WHERE ISONLINE = 1 AND ROWNUM = 1" | eval url="http://".SERVER. ":80/userdata/_qc_/_qc_/e8/e858eb10-4fea-43e8-89cc-87cb0d531d53/qumu_48b4c6fd644e41e395e8c51b962fdc01Med.mp4?origin=10.10.10.10:80;server2:80" | httpstatus | table url, httpstatus
I've confirmed that the url I've created is valid and that it does work. If I copy the url I've created directly from the results and paste it into a eval field directly (not using the concatenation), httpstatus will return a result of 200. That search can be found below.
| eval url="http://server:80/userdata/_qc_/_qc_/e8/e858eb10-4fea-43e8-89cc-87cb0d531d53/qumu_48b4c6fd644e41e395e8c51b962fdc01Med.mp4?origin=10.10.10.10:80;server2:80" | dedup url | httpstatus | table url, httpstatus
It appears to me that Splunk may not be passing the concatenated field in as text, but I can't determine a good way to troubleshoot that. Also, I should note that I've had to modify the httpstatus.py file to allow it to work within my internal environment. However, I've also tested with the original script and the results are identical.
Any help in troubleshooting this issue would be appreciated.
The answer is really weird it looks like. Reading its python source, httpstatus command for some reason is only written to do the work if there happens to be a field called "_raw". So I would try this.
|dbquery "database" "SELECT SERVER FROM DLVRYIMPL_VE_DEVICE WHERE ISONLINE = 1 AND ROWNUM = 1" | eval url="http://".SERVER. ":80/userdata/qc/qc/e8/e858eb10-4fea-43e8-89cc-87cb0d531d53/qumu_48b4c6fd644e41e395e8c51b962fdc01Med.mp4?origin=10.10.10.10:80;server2:80" | eval _raw="silly_httpstatus_workaround" | httpstatus | table url, httpstatus
The answer is really weird it looks like. Reading its python source, httpstatus command for some reason is only written to do the work if there happens to be a field called "_raw". So I would try this.
|dbquery "database" "SELECT SERVER FROM DLVRYIMPL_VE_DEVICE WHERE ISONLINE = 1 AND ROWNUM = 1" | eval url="http://".SERVER. ":80/userdata/qc/qc/e8/e858eb10-4fea-43e8-89cc-87cb0d531d53/qumu_48b4c6fd644e41e395e8c51b962fdc01Med.mp4?origin=10.10.10.10:80;server2:80" | eval _raw="silly_httpstatus_workaround" | httpstatus | table url, httpstatus
You are correct, it does look weird but it also works. Thanks for the help. Maybe Nimish will see this question and be able to shed some light on why we need to have the _raw field.
My first thought is that maybe the SERVER value coming out of dbquery has a trailing or leading space character but it sounds like you've ruled that out. And one very long longshot, is to try putting | nomv SERVER
right after the dbquery command.
Yes, I did think of the leading or trailing space, and have made sure to eliminate any but that didn't seem to be a problem. Also, I did just try the | nomv Server, but that also didn't make any difference. Thanks for the ideas.