Splunk Search

comparing two field not working with eval case

chandra61446
New Member

I have search below ..

|inputlookup biweekly_backup | join type=outer max=0 host [search index=tsm sourcetype="tsm-client-log" source="/server2splunk/server_sel" OR source="c:\\LogFiles\\sersel_sched.log" "Total server databases inspected" | rex field=_raw "^(?:[^:\n]*:){3}\s+(?P.+)"] | convert num(TDBs) | join type=outer max=0 host [search index=tsm sourcetype="tsm-client-log" source="/server2splunk/server_sel" OR source="c:\\LogFiles\\sersel_sched.log" "Total server databases backed up" | rex field=_raw "^(?P[^ ]+)(?:[^:\n]*:){3}\s+(?P.+)"] | convert num(DBBackedup) | join type=outer max=0 host [search index=tsm sourcetype="tsm-client-log" source="/server2splunk/server_sel" OR source="c:\\LogFiles\\sersel_sched.log" "Total server databases excluded" | rex field=_raw "^(?:[^:\n]*:){3}\s+(?P\s+\d+)"] | table host BDate TDBs DBBackedup DBexcluded
| dedup host
| eval DB_NotBackedup = (TDBs - DBBackedup)
| fillnull value=NoData 
| eval Backup_Status=case(DB_NotBackedup>DBexcluded, "BackupFailed - RunEffBackup", DBBackedup="NoData", "BackupMissed - RunFullBackup", 1=1, "Success")  | table Backup_Status BDate TDBs DBBackedup DBexcluded DB_NotBackedup

while comparing in |eval Backup_Status=case(DB_NotBackedup>DBexcluded,
it doesn't take field values to compare
but when i provide numeric values instead , it does,, e.g. |eval Backup_Status=case(DB_NotBackedup>4, ......

any idea what is missing?

Tags (1)
0 Karma

hardikJsheth
Motivator

Your query looks fine to me. What's happening when you run the result ? Did you check that you don't have blank or null value in DBexcluded?

0 Karma

javiergn
Super Champion

Hi,

Try rewriting your case with double = for comparison and use a space between the greater than symbol and the next variable name. Keep in mind this symbol can be part of the variable name (this is valid code | eval field>A = "random text" 😞

| eval Backup_Status = case(
    DB_NotBackedup > DBexcluded, "BackupFailed - RunEffBackup", 
    DBBackedup == "NoData", "BackupMissed - RunFullBackup", 
    1==1, "Success"
) 
0 Karma

chandra61446
New Member

still the same

output

Backup_Status BDate TDBs DBBackedup DBexcluded DB_NotBackedup
1 BackupFailed - RunEffBackup 07/30/2016 1581 1566 3 15
2 BackupFailed - RunEffBackup 07/24/2016 1278 1275 3 3
3 BackupFailed - RunEffBackup 07/31/2016 2165 2162 3 3
4 BackupFailed - RunEffBackup 07/23/2016 678 677 1 1
5 BackupFailed - RunEffBackup 07/30/2016 1918 1915 2 3
6 BackupFailed - RunEffBackup 07/23/2016 1272 1268 3 4
7 BackupFailed - RunEffBackup 07/23/2016 11009 11009 0 0
8 BackupFailed - RunEffBackup 07/31/2016 10020 10019 1 1
9 BackupMissed - RunFullBackup NoData NoData NoData NoData NoData

as per condition, no1 and no 6 should be success but it is not.. !!

0 Karma

aholzel
Communicator

then it seems like the "BDexcluded" field is not an number. you can test it with the eval function isnum(X)
see https://docs.splunk.com/Documentation/Splunk/6.4.2/SearchReference/CommonEvalFunctions#Informational...

Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...