topic Re: Trying to remove certain strings in a aggregated operation in Splunk Search

Trying to remove certain strings in a aggregated operation

praddasg — Wed, 30 Sep 2020 04:16:51 GMT

Hello,

From the below query

I am trying to remove certain strings from a field "message" or find the a specific string seems does not working, tried including but the result still has values which has this message
At the same time i tried using the command to remove the strings which has in the field message but still does not seem to work

index=apps
sourcetype="pos-generic:prod" Received request to change status=CONFIRMED OR status=REJECTED
partner_account_name="Level Up"
| stats count by status, merchantId
| xyseries merchantId, status, count
| eval result = (REJECTED)/((CONFIRMED+REJECTED))*100
| fillnull value=100 result
| eval count = CONFIRMED + REJECTED
| where count >= 10
| where result >= 20

Re: Trying to remove certain strings in a aggregated operation

jpolvino — Mon, 17 Feb 2020 21:32:23 GMT

Just a few observations from what you've posted.

Consider putting this in double quotes: Received request to change
For readability, make your stats say stats count AS Volume by status,count Then you can use Volume later on with less confusion.
The stats command destroys native fields and only give you aggregated fields it produces. So you cannot access REJECTED or CONFIRMED.
Can you please post what you get after your xyseries line and what you want to do with those values? Feel free to dummy up the data to hide confidential info.

Re: Trying to remove certain strings in a aggregated operation

praddasg — Wed, 30 Sep 2020 04:17:07 GMT

So when I run the query mentioned above i get the following result

The merchantID 1684264 has message "xyz" and also have REJECT count as 6. I verified all the REJECT of this merchantId has the same message.

Now I am trying to execute the query as below

index=apps
sourcetype="pos-generic:prod" Received request to change status=CONFIRMED OR status=REJECTED AND message!="xyz"
partner_account_name="Level Up"
| stats count by status, merchantId
| xyseries merchantId, status, count
| eval result = (REJECTED)/((CONFIRMED+REJECTED))*100
| fillnull value=100 result
| eval count = CONFIRMED + REJECTED
| where count >= 10
| where result >= 20

My expectation is not to show the result of merchantId = 1684264 as it has all the 6 REJECT count as this message (my expectation is getting fulfilled). When I was trying yesterday it was not, may be I was doing something wrong.

Now what I want to try is, instead of passing an exact string for the message field, i would want to pass something like message contains something like "item". So it might be "some items missing" or "items not there". So i just want to use "item" as the common

Re: Trying to remove certain strings in a aggregated operation

praddasg — Tue, 18 Feb 2020 14:32:33 GMT

I tried using but it is not giving me any result

Re: Trying to remove certain strings in a aggregated operation

praddasg — Tue, 18 Feb 2020 15:20:23 GMT

I tried using https://answers.splunk.com/answers/479010/how-to-write-a-search-with-the-condition-if-field1.html but no help either

Re: Trying to remove certain strings in a aggregated operation

praddasg — Tue, 18 Feb 2020 15:47:08 GMT

ok i used something like
| regex message != "item"

not sure if this would have any further complication. Checking