I'am trying to add information to my search query in splunk if a token is not null but is not working.
I have an input checkbox called filtre, and I want to modify my search if the input filtre is used.
so, I want to do this
if $filtre$ == null
index="fortigate" policyid=$policy$ $scr_dest$=$IP$ service=$service$ NOT action = blocked
| stats values(src_ip) values(dest_ip) values(service) values(action)
else:
index="fortigate" policyid=$policy$ $scr_dest$=$IP$ service=$service$ NOT action = blocked
| stats values(src_ip) values(dest_ip) values(service) values(action) by $filtre$
I have been trying by * by null , using eval and multisearch
| multisearch
[search index="fortigate" policyid=$policy$ $scr_dest$=$IP$ service=$service$ NOT action = blocked
| stats values(src_ip) values(dest_ip) values(service) values(action)
| where like($filtre$ == null ) ]
[search index="fortigate" policyid=$policy$ $scr_dest$=$IP$ service=$service$ NOT action = blocked
| stats values(src_ip) values(dest_ip) values(service) values(action) by $filtre$
| | where like($filtre$ !=null) ]
Nothing works.
Thanks
The command where like($filtre$ == null) is incorrect. The like function compares a field value to a SQL pattern and expects two arguments rather than a single boolean expression. To determine if a field is or isn't null, use the isnull() or isnotnull() function.
Using stats ... by $filtre$ will fail when the token is empty because the field required by by will be absent. To fix that, we have to make by go away when $filtre$ is null, which can be done using a separate token.
When the filtre token is set, define another token (which I'll call $by$) and use that in the stats command. When $filtre$ is cleared, unset $by$.
<input type="checkbox" token="filtre">
...
<change>
<condition match="$filtre$=="Enable"">
<set token="by">by $filtre$</set>
</condition>
<condition>
<set token="by"> </unset>
</condition>
</change>
</input>
| stats ... values(action) $by$
Related
This is my log entry from AWS API Gateway:
(8d036972-0445) Method request body before transformations: {"TransactionAmount":225.00,"OrderID":"1545623982","PayInfo":{"Method":"ec","TransactionAmount":225.00},"CFeeProcess":0}
I want to write a CloudWatch Logs Insights query which can display AWS request id, present in the first parenthesis and the order id present in the json.
I'm able to get the AWS request id by parsing the message. How can I get the OrderID json field?
Any help is greatly appreciated.
| parse #message "(*) Method request body before transformations: *" as awsReqId,JsonBody
#| filter OrderID = "1545623982" This did not work
| display awsReqId,OrderID
| limit 20
You can do it with two parse steps, like this:
fields #message
| parse #message "(*) Method request body before transformations: *" as awsReqId, JsonBody
| parse JsonBody "\"OrderID\":\"*\"" as OrderId
| filter OrderID = "1545623982"
| display awsReqId,OrderID
| limit 20
Edit:
Actually, they way you're doing it should also work. I think it doesn't work because you have 2 space characters between brackets and the word Method here (*) Method. Try removing 1 space.
I have a Splunk Dashboard. This dashboard has a Text input where the user can enter a path. After entering the input, I would like to apply some conditional logic to the path input by the user before the search is executed. Is this possible in Splunk? Is there a way for me to take the Text input (i.e. path) and do something like:
var parameter1 = "value-a";
if (path == "/endpoint-1")
parameter1 = "value-b";
else if (path == "/endpoint-2")
parameter1 = "/endpoint-3";
// Execute search with parameter1
Thank you.
Subsearches!
Eg:
index=data [
| makeresults 1
| eval path="$inputToken$"
| eval parameter1=case(
path="/endpoint-1","value-b,
path="/endpoint-2","/endpoint-3")
| fields parameter1
| format]
the subsearches are run before the main search, and alter that main search.
the main search here after the subsearch would be something like.
index=data parameter1="value-b"
Related reading to help on your sub search journey
https://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/Useasubsearch
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Format
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Return
Anyone here knows how can I use built-in functions(case) in a Splunk Query? All examples I found were to handle the query results (I can not put it after eval or | )
I need something like.
index=case(indexVar == "qa", "qa-all", indexVar == "prod", "prod-all") sourcetype="kube:container:rail-service"
OBS I can not just concat the indexVar + "-all"
The case function may be built-in, but that doesn't mean you can use it anywhere. It's only valid with the eval, fieldformat, and where commands.
A workaround would be to put the eval in a subsearch.
sourcetype="kube:container:rail-service" [
| makeresults
| eval index=case(indexVar == "qa", "qa-all", indexVar == "prod", "prod-all")
| fields index ]
I have an event log in Splunk that looks like this:
{
"event": {
"Id":"12345",
"Name": "My Event",
"Inputs": {
"Param1":"some value",
"Param2":"another value"
},
"Result": {
"statusCode":"304"
}
}
}
I need to get the value of the statusCode from the Result to determine what kind of error I received. Currently, I'm using the following Splunk query:
index="myIndex"
sourcetype="*"
| spath=event
| fields
_time
Name
Result.statusCode
| eval _status="tbd"
| eval _code=statusCode
| eval _code=case(statusCode>=200 AND statusCode<300, "OK", statusCode>=300 AND statusCode<400, "Redirected", statusCode>=400 AND statusCode<500, "User Error", statusCode>500, "Server Error")
| rename
Name as RequestName
_code as StatusCode
_status as Status
| table
_time
RequestName
Status
StatusCode
Result.statusCode
The above is a port of the actual query in an effort to isolate the issue. Still, the issue is when I run my query, I can see:
_time
RequestName
Status
Result.statusCode
Oddly, and the part that is confusing me is, I cannot see StatusCode. I need a variable to do additional processing which is why I have the eval _code statement. However, I'm not having any using Result.statusCode as a variable. What am I missing?
Avoid leading underscores in field ("variable") names as they are hidden by default. Some can only be used after assigning their values to another field.
Also, creating a field and then renaming it is unnecessary unless the final field name will contain spaces or special characters.
It looks like something is missing from the query since only the _time and Result.statusCode fields exist, but statusCode is used often. The case function will return null if statusCode does not exist. The Name field also doesn't exist so I don't understand how you can see RequestName.
index="myIndex"
sourcetype="*"
| spath event
| fields
_time
Result.statusCode
| eval Status="tbd", statusCode='Result.statusCode'
| eval StatusCode=case(statusCode>=200 AND statusCode<300, "OK",
statusCode>=300 AND statusCode<400, "Redirected",
statusCode>=400 AND statusCode<500, "User Error",
statusCode>500, "Server Error",
1==1, statusCode)
| rename
Name as RequestName
| table
_time
RequestName
Status
StatusCode
Result.statusCode
I am trying to access a variable (in this example; sampleFromDate and sampleToDate) from a sub-query. I have defined the variables with syntax eval variableName = value and would like to access with syntax filterName=$variableName$. See the example below where I am trying to access values using earliest=$sampleFromDate$ latest=$sampleToDate$
index=*
earliest=-8d latest=-1d
| eval sampleToDate=now()
| eval sampleFromDate=relative_time(now(), "-1d")
| appendcols [
search (index=*)
earliest=$sampleFromDate$ latest=$sampleToDate$
]
This produces the error:
Invalid value "$sampleFromDate$" for time term 'earliest'
The value of sampleFromDate is in the format seconds since epoch time, e.g.
1612251236.000000
I know I can do earliest=-d latest=now() - but I don't want to do this because I want to reference the variables in several locations and output them at the end.
Why are you trying to eval those time values?
Just do:
index=* earliest=-8d latest=-1d
| <rest of search>
| appendcols [
search (index=*) earliest=-1d
| <rest of appended search>
]
There's no need to explicitly set latest unless you want something other than now()