newspaint

Documenting Problems That Were Difficult To Find The Answer To

Category Archives: Splunk

If With Multiple Conditions in Splunk Eval

A common task one desires to do with the if() command in Splunk is to perform multiple tests. Unfortunately this is very poorly documented on the Splunk website.

You can use the AND and OR keywords (as opposed to the && or || you might have expected).

e.g.:

index=os sourcetype=ps host=myhost01
  |rex field=CPUTIME "^((?\d+)-)?(?\d\d):(?\d\d):(?\d\d)$"
  |eval cpusec=if( isnum(c_days), c_days, 0)*24*3600 + (c_hours*3600) + (c_mins*60) + c_secs
  |eval aa_inrange=if( (cpusec>1000) AND (cpusec<2000), 1, 0 )
  |search aa_inrange=1

Formatting a Splunk Time Field as ISO-8601

On occasion I will use the stats command in a Splunk search to identify the beginning and end of a particular set of events, e.g.:

search "Fatal Error"
|stats earliest(_time) as started, latest(_time) as ended by host

The problem is that this will display the “started” and “ended” fields as a number rather than a formatted time string. So to achieve this I use the fieldformat command with the strftime() function:

search "Fatal Error"
|stats earliest(_time) as started, latest(_time) as ended by host
|fieldformat started=strftime( started, "%Y-%m-%dT%H:%M:%S" )
|fieldformat ended=strftime( ended, "%Y-%m-%dT%H:%M:%S" )

Escaping a Backslash in Splunk

In a plain search string in Splunk a backslash is escaped by a single backslash, e.g. to search for MYDOMAIN\user123:

search MYDOMAIN\\user123

Inside a double-quoted regular expression string, however, the backslash also needs to be escaped with a backslash! e.g. to filter for MYDOMAIN\user123:

|regex _raw="MYDOMAIN\\\\[a-zA-Z]+"
|rex field=_raw "MYDOMAIN\\\\(?[a-zA-Z]+)"

Selecting a column in tab-delimited text in Splunk

So you have a raw field that looks something like this:

field1	field2	field3	field4	field5

… where the gaps between fields are tab characters (“\t” or ASCII character 9).

You might think the way to select the 3rd field would be as follows:

index=myindex mysearchterm
  |eval fields=split(_raw, "\t" )
  |eval desiredfield=mvindex(fields,3)

But no. The Splunk split command does not recognise “\t” as the tab character.

A work around is to replace all the tabs with a unique string and split on this instead. So the above could be re-written as:

index=myindex mysearchterm
  |eval myraw=_raw
  |rex mode=sed field=myraw "s/\t/MYUNIQUESEPARATOR/g"
  |eval fields=split(myraw, "MYUNIQUESEPARATOR" )
  |eval desiredfield=mvindex(fields,3)