Re: How to return field values from an eval/if sta...

RickGenesis · ‎05-15-2013

I am trying to return change data for our servers. basically I import the list of open changes from the change control system, I then run a search (it will be a macro once it works) that checks if the specified server is currently in a change window,if it is it returns the change number if not it returns "operational"

 sourcetype=RFClist Change_Status!=Draft OR Change_Status!=Closed Details="*serverA*" earliest=0 latest=now 
| where time() > strptime(Change_Start_Date, "%F %T") AND time() < strptime(Change_End_Date, "%F %T") 
| stats count as window 
| eval window=if(window==0,"Operational",Change_Number)

when I use a server that is not in a change window I get the "Operational" output, but when I use a server that is in a change window I get nothing. If I just use strings in the eval/if statement I get valid output.

anyone got any ideas?

kristian_kolb · ‎05-15-2013

The eval/if looks fine. However, I'm thinking that you'd want to use _time rather than time() in the where statement

/k

kristian_kolb · ‎05-15-2013

Oh, then perhaps the Change_Number does not have a value, i.e. is null?

RickGenesis · ‎05-15-2013

_time is the time of the returned events, I am checking if the returned events (changes) are currently(ie now) active. I believe the search statement is correct as if I replace the change_number field with a string e.g "in change" it works perfectly, except I really wanted the change number as part of the output.

How to return field values from an eval/if statement

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases