topic Re: subsearches in Splunk Search

subsearches

phoenix09 — Mon, 02 Nov 2020 05:46:28 GMT

hello

Re: subsearches

phoenix09 — Mon, 02 Nov 2020 05:48:44 GMT

1. I need to create an alert for http 500 failures

2. But I there is this scenario where some http 500 events when triggered, triggers one more event with a message. So I do not want these type of 500 events to be included in the alert

Please help with a query.

Re: subsearches

gcusello — Mon, 02 Nov 2020 07:05:07 GMT

Hi @phoenix09,

did you identified or extracted the message?

if yes, you can simply exclude it from the search: in other words, if the message contains always the word INFO or you extracted the message field, try something like this:

your_search http_response=500 NOT INFO | ...

your_search http_response=500 NOT message=* | ...

Ciao.

Giuseppe

Re: subsearches

phoenix09 — Mon, 02 Nov 2020 13:27:27 GMT

The http 500 event which is caused due to an exception has the same fields like the valid http 500 error event. So there is no unique word in the event that I can say NOT "this"

Re: subsearches

gcusello — Mon, 02 Nov 2020 13:34:52 GMT

Hi @phoenix09,

could you share some sample of your events? both correct and not correct.

Ciao.

Giuseppe

Re: subsearches

phoenix09 — Mon, 02 Nov 2020 14:28:48 GMT

As of now I do not have the log for a valid 500 Error

But for the 500 Error which I want to exclude has two events something like below

Date|LOG_LEVEL:INFO|THREAD_NAME:-|CORRELATION:-|MessID:<dynamicvalue>|MESSAGE:LOGTYPE, SERVER=ip, URL=-, URI=-, METHOD=POST, PARA={"MessID":["<dynamicvalue>"],,"Connection":["close"]}, CODE=500, RTIME=342

In the above "MessID" value will be the same

Re: subsearches

gcusello — Mon, 02 Nov 2020 15:39:39 GMT

Hi @phoenix09,

it's difficoult to help you without having something to analyze!

the only way is to identify something unique in the logs to discard or to take.

Ciao.

Giuseppe