topic Re: mvindex with a conditional in Splunk Search

How do I write this search with a mvindex with a conditional?

user33 — Wed, 08 Feb 2023 16:44:29 GMT

Hello,

I have the below SPL with the two mvindex functions.

mvindex position '6' in the array is supposed to apply http statuses for /developers.

mvindex position '10' in the array is supposed to apply http statuses for /apps.

Currently position 6 and 10 are crossing events. Applying to both APIs. Is there anyway I can have one mvindex apply to one command?

(index=wf_pvsi_virt OR index=wf_pvsi_tmps) (sourcetype="wf:wca:access:txt" OR sourcetype="wf:devp1:access:txt") wf_env=PROD | eval temp=split(_raw," ") | eval API=mvindex(temp,4,8) | eval http_status=mvindex(temp,6,10) | search ( "/services/protected/v1/developers" OR "/wcaapi/userReg/wgt/apps" ) | search NOT "Mozilla" | eval API = if(match(API,"/services/protected/v1/developers"), "DEVP1: Developers", API) | eval API = if(match(API,"/wcaapi/userReg/wgt/apps"), "User Registration Enhanced Login", API)

Re: mvindex with a conditional

ITWhisperer — Tue, 07 Feb 2023 22:44:28 GMT

| eval status_index = if(match(API,"/services/protected/v1/developers"), 6, 10) | eval http_status=mvindex(temp, status_index)

Re: mvindex with a conditional

user33 — Wed, 08 Feb 2023 13:49:00 GMT

Thank you!!

However, if I wanted to make more than one "status_index" for each API and then combine all status_indexes into one field called "http_status"; how would I do that?

Re: mvindex with a conditional

user33 — Wed, 08 Feb 2023 13:50:51 GMT

What I am attempting to do below:

| eval temp=split(_raw," ") | eval API=mvindex(temp,4,8) ```| eval http_status=mvindex(temp,6,10)``` | eval status_index = if(match(API,"/services/protected/v1/developers"), 4, 6) | eval status_index1 = if(match(API,"/services/public/v1/signup"), 4, 6) | eval status_index2 = if(match(API,"/wcaapi/userReg/wgt/apps"), 8, 10) | eval http_status=mvindex(temp, status_index) | search ( "/services/public/v1/signup" OR "/services/protected/v1/developers" OR "/services/public/v1/captcha" OR "/wcaapi/userReg/wgt/apps" ) | eval API = if(match(API,"/services/public/v1/signup"), "DEVP1: Signup", API) | eval API = if(match(API,"/services/protected/v1/developers"), "DEVP1: Developers", API) | eval API = if(match(API,"/services/public/v1/captcha"), "DEVP1: Captcha", API) | eval API = if(match(API,"/wcaapi/userReg/wgt/apps"), "User Registration Enhanced Login", API)

Re: mvindex with a conditional

ITWhisperer — Wed, 08 Feb 2023 15:53:37 GMT

I am not sure I understand what you are trying to do. Please can you share some sample events and highlight which part you want extracted to which field - rex might be an easier option for you.

Re: mvindex with a conditional

user33 — Wed, 08 Feb 2023 16:53:45 GMT

Not a problem. It looks like I may have achieved it by modifying your solution. I had issues in the past with Regex so was hoping to use this. I am not sure what "null" does in the below "status_index" but it seems to work by not including frivolous information.

| eval temp=split(_raw," ") | eval status_index1 = if(match(API,"/services/protected/v1/developers"), 6, null) | eval status_index2 = if(match(API,"/services/public/v1/signup"), 6, null) | eval status_index3 = if(match(API,"/wcaapi/userReg/wgt/apps"), 10, null) | eval http_status1 = mvindex(temp, status_index1) | eval http_status2 = mvindex(temp, status_index2) | eval http_status3 = mvindex(temp, status_index3) | eval http_status = coalesce(http_status1, http_status2, http_status3) | search ( "/services/public/v1/signup" OR "/services/protected/v1/developers" OR "/services/public/v1/captcha" OR "/wcaapi/userReg/wgt/apps" ) | search NOT "Mozilla" | eval API = if(match(API,"/services/public/v1/signup"), "DEVP1: Signup", API) | eval API = if(match(API,"/services/protected/v1/developers"), "DEVP1: Developers", API) | eval API = if(match(API,"/services/public/v1/captcha"), "DEVP1: Captcha", API) | eval API = if(match(API,"/wcaapi/userReg/wgt/apps"), "User Registration Enhanced Login", API) | fields API, http_status, wf_env | convert timeformat="%Y-%m" ctime(_time) AS Date | stats count(http_status) as Total_Calls, count(eval(http_status>=500)) as Server_Error by Date, API, wf_env | eval SuccessRate=round((1-(Server_Error/Total_Calls)) * 100,2)