From there, my coalesce will work as intended. What I think I want to accomplish is look for instances of 'hostName' where the length is zero. I found a Splunk Community Post explaining some of this, but as a noob, I am having a problem extending this to my particular problem. When I look at the raw events, I see that 'hostName' looks like: "hostName": "" Unfortunately, I am finding in many cases 'hostName' is not null, but rather 0 length which isn't the same as null which foils my coalesce. So I'm happy to use any of the fields in my example in order to do so. But as long as I can identify it, that is all that matters to me. This is necessary because I am looking at some data that sometimes doesn't have a hostname (presumably because not in DNS). I think that would work if it does not cause another problem.I am trying to work with some data and I was trying to use the coalesce feature to do something like this: eval asset=coalesce(hostName,netbiosName,ip,macAddress) I also thought of appending each unique search instead of using case. That may involve time buckets and have not looked into that. I have thought of counting the number of events in the time span that match each Type and setting the site_up=1 if it is zero. I need to use the Type on the eval to do it correctly and I think that is the problem. If I remove the AND Type="" from one of the evals the fillnull will fix that one. | timechart Max(site1_up) as Site1 Max(site2_up) as Site2 I am looking at multiple things and charting more than one value using a case statement with the eval based on the case.Ĭs_host="" AND like(SOAPAction,"%release%"), "Release",Ĭs_host="" AND like(SOAPAction,"%verify%"), "Verify", I checked the fillnull again and It does work using the basic format. I am trying to make a chart of the up(1)/down(0) status of various components, some of which are determined by the IIS logs. |eval Site3_up =1 if there are no events matching cs_host=C |eval Site3_up =0 if cs_host=C AND cs_User_Agent=Mozilla and no cs_uri_stem=check.asmx |eval Site3_up =1 if cs_host=C AND cs_User_Agent=Mozilla and at least one cs_uri_stem=check.asmx |eval Site2_up =1 if there are no events matching cs_host=B |eval Site2_up =0 if cs_host=B and at no cs_method=POST |eval Site2_up =1 if cs_host=B and at least one cs_method=POST |eval Site1_up=1 if there are no events matching cs_host=A |eval Site1_up=0 if cs_host=A and at no sc_status=200 |eval Site1_up=1 if cs_host=A and at least one sc_status=200 The reasoning for the up/down status is not important since this is simply an example. I have also tried | append without success, but don't completely know how that would work. It should also only use fillnull (or similar) if no events are in that 10 second span. Putting this before the eval does not work since I believe nothing is done without an event. I want a 1 charted if there are no events in that 10s span.Īdding | fillnull value=200 sc_status after the timechart simply shows an extra column of sc_status at 200 in every span (column in the chart). If there are no matching events it is probably not even looked at and returns nothing and the chart looks like a 0. It charts a 0 if there were responses, but none were 200. This charts a 1 if there was at least one 200 response from in the 10s span. It works, except for when no events happen. I want the eval it to return a 1 when there are no events in that span. The eval is likely not even called if there are no events in the timechart span I am looking at. I want a fillnull (or similar) to happen before an eval. As I write this I realize that what I want is likely not possible using this method.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |