topic Re: How do you populate a field if the search time extracted field (using regular expression) is not presented in the logs? in Splunk Search

How do you populate a field if the search time extracted field (using regular expression) is not presented in the logs?

raj_mpl — Thu, 10 Jan 2019 05:28:19 GMT

Hi All,

I am trying to populate a custom field value if my search time extracted field is not present in the raw log by using the below two methods . Here refield is my search time extracted field

1)mysearch | eval Myfield=if(isnotnull(refield),refield,Custom_field)

2)|eval Myfield=coalesce(refield,Custom_field)

But, in the output, I am getting the result in Myfield as values of both refield and Custom_field .

Thank you !

Re: How do you populate a field if the search time extracted field (using regular expression) is not presented in the logs?

renjith_nair — Tue, 29 Sep 2020 22:40:58 GMT

@raj_mpl ,
Myfield=coalesce(refield,Custom_field) should give you the first non-null value. What you mean by both values are assigned to Myfield ? Is it a list or concatenated?

Re: How do you populate a field if the search time extracted field (using regular expression) is not presented in the logs?

raj_mpl — Thu, 10 Jan 2019 07:12:27 GMT

Hi @renjith.nair , Thanks for your reply on this
Yes I am getting the two results by concatenation in a separate line for Myfield

Myfield
Value1 (regex extracted string (captured group))
Value2( Custom_field value)

Re: How do you populate a field if the search time extracted field (using regular expression) is not presented in the logs?

renjith_nair — Thu, 10 Jan 2019 08:23:30 GMT

Do you mind sharing your search ?

Re: How do you populate a field if the search time extracted field (using regular expression) is not presented in the logs?

raj_mpl — Tue, 29 Sep 2020 22:41:01 GMT

Sure , Below is my search

 index=myindex |rex field=_raw "(?ms)TEXT\.\s+(?P<refield>.+?)at\s(web|org)\."|eval Custom_field=”check the log”| eval  Error_Description=if(isnotnull(refield),refield,Custom_field)|transaction  id,host  startswith="started" endswith="completed" |table  id host Error_Description

And also tried |eval Error_description=coalesce(refield,Custom_field)

Re: How do you populate a field if the search time extracted field (using regular expression) is not presented in the logs?

renjith_nair — Tue, 29 Sep 2020 22:41:04 GMT

@raj_mpl ,
Thats because your one transaction has more than one values for Error_Description. You can verify by removing the table command and look at the events directly

Re: How do you populate a field if the search time extracted field (using regular expression) is not presented in the logs?

raj_mpl — Thu, 10 Jan 2019 13:03:03 GMT

Hi @renjith.nair .., Yes my regex will extract the field value for Error_Description at search time , My requirement is if the regex provided will not able to pick anything as per the condition , I have to populate an new field

But what actually happening is The Error_Descriptin field is having field a value also in it as you said 2 values

Then what is the resolution for this?

Re: How do you populate a field if the search time extracted field (using regular expression) is not presented in the logs?

renjith_nair — Tue, 29 Sep 2020 22:41:07 GMT

@raj_mpl ,since the transaction doesn't depend on the Error_Description , do the coalesce after the transaction and before the table command or just fillnull value="check the log" Error_Description

Re: How do you populate a field if the search time extracted field (using regular expression) is not presented in the logs?

raj_mpl — Fri, 11 Jan 2019 09:26:02 GMT

Thank you @renjith.nair , I just changed the placement of the Error_Description filed
And it worked perfectly .

On an other note can you give some ideas to me to find the Long running jobs using transaction command.
I want to create an alert for long running transactions .
Consider events will start with "start" and completes with "closed" string. In this with a Customer_Id common in them .

Note : My focus is not on completed transactions , I have to identify the ongoing jobs which are running from past 2 hours and not closed yet (still running) .

Thank you .
Rajesh

Re: How do you populate a field if the search time extracted field (using regular expression) is not presented in the logs?

renjith_nair — Fri, 11 Jan 2019 10:24:54 GMT

@raj_mpl ,alright. I will move the comment to the answer section.
For your next question, is the customer id unique for each transaction ? and if not how do you identify the transactions - especially if another transaction starts and end before the first transaction (overlapping) ? If there is a uniq id for each transaction/job, we might be able to find it without using a transaction command.

Re: How do you populate a field if the search time extracted field (using regular expression) is not presented in the logs?

renjith_nair — Fri, 11 Jan 2019 10:29:24 GMT

@raj_mpl ,

The duplicated values are because of transaction command which brings together all the values matches the transaction.

Since since the transaction doesn't depend on the Error_Description , do the coalesce after the transaction and before the table command or just fillnull value="check the log" Error_Description at the end of the search

e.g.

  index=myindex |rex field=_raw "(?ms)TEXT\.\s+(?P<refield>.+?)at\s(web|org)\."|eval Custom_field=”check the log”
  |transaction  id,host  startswith="started" endswith="completed"
  |eval  Error_Description=coalesce(refield,Custom_field)
  |table  id host Error_Description

Re: How do you populate a field if the search time extracted field (using regular expression) is not presented in the logs?

raj_mpl — Fri, 11 Jan 2019 10:32:13 GMT

Thank you @renjith.nair . I just changed the placement of the Error_Description filed
And it worked perfectly . Thank you

Re: How do you populate a field if the search time extracted field (using regular expression) is not presented in the logs?

renjith_nair — Fri, 11 Jan 2019 10:41:58 GMT

@raj_mpl , for incomplete transaction as mentioned in the comment ,

try

 |transaction  id,host  startswith="started" endswith="completed" keepevicted=true
 |where closed_txn=0|eval runTime=round((now()-_time)/3600,2)
|where runTime>2

Re: How do you populate a field if the search time extracted field (using regular expression) is not presented in the logs?

raj_mpl — Tue, 29 Sep 2020 22:44:51 GMT

Hi @renjith.nair , Yes the Job name(customer ID) and the id is unique for each transaction
Below is the Query I am using for still running Jobs .
index=myindex "] Agent" "load plan instance" | rex field=_raw "instance\s(?[^)]+)\s((?[^)]+)" |transaction Job_Name,id startswith="started plan instance" endswith="successfully completed Plan" keepevicted=true | where closed_txn=0 | search NOT stopped | table _time, Job_Name, userid

My requirement is to get an alert for the transaction which is still in progress (from past 2hours) , I will schedule the alert to run every 20 min using cron notation

Re: How do you populate a field if the search time extracted field (using regular expression) is not presented in the logs?

raj_mpl — Fri, 11 Jan 2019 11:06:46 GMT

You can reply me in the thread Can you help me create an alert involving the transaction command

Re: How do you populate a field if the search time extracted field (using regular expression) is not presented in the logs?

raj_mpl — Fri, 11 Jan 2019 11:33:22 GMT

Can you please explain a bit , What actually it will perform ?