Combine results of two searches

alwinaugustin — Fri, 01 Oct 2021 12:24:05 GMT

I have error messages in the following formats

{ "level":"error", "message":"Log: \"error in action {\\\"status\\\":\\\"error\\\",\\\"message_error\\\":\\\"blacklisted\\\"}\"", "timestamp":"2021-09-27T16:39:07-04:00" }

and

{ "level":"error", "message":"Log: \"error in action \\\"<HTML><HEAD>\\\\n<TITLE>Service Unavailable</TITLE>\\\\n</HEAD><BODY>\\\\n<h1>Service Unavailable - Zero size object</h1>\\\\nThe server is temporarily unable to service your request. Please try again\\\\nlater.<p>\\\\nReference #15\\\\n</BODY></HTML>\\\\n\\\"\"", "timestamp":"2021-09-26T23:12:25-04:00" }

Now I am creating a dashboard for displaying the overall error counts for a period of time. The following query gives me the count based on the message_error.

index=my_index_name sourcetype=my_source_type_name:app | spath message | regex message="^.*error in action.*$" | eval error_json=replace(ltrim(message, "Log: \"error in action"),"\\\\\"","\"") | spath input=error_json output=error_message path=message_error | top error_message

As what I am doing is JSON parsing, it is not applicable for the second type of error message. This is basically HTML after the common error string. I would like to print the count for this error along with the counts of the errors which belong to the first group.

For the first group of errors, by using the above query, I am getting the following result

error_message	count
blacklisted	10
captcha error	9
Internal Server Error	8

What I need is

error_message	count
blacklisted	10
captcha error	9
Internal Server Error	8
Service Unavailable	5

That is I need to show the count of errors even if it is not in the JSON format. Both the errors start with the common string "Log: error in action". If I use another query like :

index=my_index_name sourcetype=my_source_type_name:app | spath message | regex message="^.*Service Unavailable - Zero size object.*$"| stats count as error_count

it will give the count. But first I want to combine the results and show them as a single result and second the above query is limited for a specific error message. So I would like to show a part of the message after "Log: error in action", if it is not in JSON format and the corresponding count.

I am new to Splunk and It will be very much helpful if someone can point out the solution for this.

Re: Combine results of two searches

ITWhisperer — Fri, 01 Oct 2021 12:55:36 GMT

First part just sets up two example events

| makeresults | eval _raw="{ \"level\":\"error\", \"message\":\"Log: \\\"error in action {\\\\\\\"status\\\\\\\":\\\\\\\"error\\\\\\\",\\\\\\\"message_error\\\\\\\":\\\\\\\"blacklisted\\\\\\\"}\\\"\", \"timestamp\":\"2021-09-27T16:39:07-04:00\" }" | append [| makeresults | eval _raw="{ \"level\":\"error\", \"message\":\"Log: \\\"error in action \\\\\\\"<HTML><HEAD>\\\\\\\\n<TITLE>Service Unavailable</TITLE>\\\\\\\\n</HEAD><BODY>\\\\\\\\n<h1>Service Unavailable - Zero size object</h1>\\\\\\\\nThe server is temporarily unable to service your request. Please try again\\\\\\\\nlater.<p>\\\\\\\\nReference #15\\\\\\\\n</BODY></HTML>\\\\\\\\n\\\\\\\"\\\"\", \"timestamp\":\"2021-09-26T23:12:25-04:00\" }"] | spath message | regex message="^.*error in action.*$" | eval error_json=replace(ltrim(message, "Log: \"error in action"),"\\\\\"","\"") | spath input=error_json output=error_message path=message_error | rex field=message "(?<error_message>Service Unavailable)" | top error_message

topic Re: Combine results of two searches in Splunk Search

Combine results of two searches

Re: Combine results of two searches