Can you help me write an if statement for the foll...

keishamtcs · ‎12-03-2018

Hi,

I need to write an if statement for the following condition. I have two services in which status is shown by 0 or 1.
0 is stop and 1 is running, It has two different sources. The alert should trigger when it is not running in both the sources i.e, (0,0) or (1,1).

i tried using something like this but it does not work. How to rectify this query ?

This is for (0,0)

| eval Application=if(((source="Primary_source" AND Status=0) AND (source="secondory_source" AND Status=0)),"Down", "Up")

This is for both (0,0) and (1,1)

| eval Application=if((((source="Primary_source" AND Status=0) AND (source="secondory_source" AND Status=1))) OR ((source="Primary_source" AND Status=1) AND (source="secondory_source" AND Status=1)),"Down", "Up")

sergeye · ‎12-03-2018

Hi If I understand you correct and you need an alert to trigger for both 0,0 and 1,1 conditions,
I guess this is an easiest way (the actual query is only the last string):

| makeresults 
| eval source="Primary_source",Status=1 
| append 
    [| makeresults 
    | eval source="Secondory_source",Status=1 ] 
| stats dc(Status) as Status | where Status = 1

this will provide you a result only if both Statuses are 1 or both statuses are 0,
and based on this you can create an alert.

kamlesh_vaghela · ‎12-03-2018

@keishamtcs

If you have the latest event from the different source for the latest status, then you can try below search to get source wise status as a column. Here, you have different events from the different source.

YOUR_SEARCH 
| dedup source | table source Status | transpose header_field=source

Now you can add conditions as per your requireemtns.
like, for (0,0)

| eval Application=if(Primary_source=0 AND secondory_source=0,"Down", "Up")

For (1,1)

| eval Application=if(Primary_source=1 AND secondory_source=1,"Up", "Down")

like that.

My Sample Search is like below.

| makeresults
| eval source="Primary_source",Status=0 | append [ | makeresults 
| eval source="secondory_source",Status=1 ] | dedup source | table source Status | transpose header_field=source 
| eval Application=if(Primary_source=0 AND secondory_source=0,"Down", "Up")

Please let me know for more assistance.

Thanks

keishamtcs · ‎12-03-2018

Hi Kamlesh,

Thanks for the input..your query is using only one condition at a time. I would need need both the condition in the same search (0,0) and (1,1).

Regards

kamlesh_vaghela · ‎12-03-2018

@keishamtcs

Yes, I have given you a sample search. Please try this one.

| eval Application=if((Primary_source=0 AND secondory_source=0) OR (Primary_source=1 AND secondory_source=1),"true", "false")

I'm not sure about what if (1,1) or (0,0), so I have kept true and false

You can change it as per your requirement.

🙂

keishamtcs · ‎12-03-2018

Yes..i did the tricked. i dont see the option of accepting this answer. any idea where is it ?

kamlesh_vaghela · ‎12-11-2018

@keishamtcs

Glad to help you. Please accept the answer. 🙂

Happy Splunking

sergeye · ‎12-03-2018

Hi,
Can you please clarify the statement for up and down because I'm not sure I understand you correct.

I see 4 possible variants, can you please approve (or disprove and fix this table):
0,0 = Down
0,1 = Up
1,0=Up
1,1=Down

is it correct?

Can you help me write an if statement for the following condition?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...