topic Re: How to write a search where if a certain string is found in a log, set Status=1, else Status=0? in Splunk Search

How to write a search where if a certain string is found in a log, set Status=1, otherwise Status=0?

svivekananda007 — Mon, 11 Jan 2021 22:12:10 GMT

I need to find a string in a log and set/unset a field depending on this.
Ex: field Status = 1 or 0.
I should say if(a_log_event contains "connected") then Status=1, otherwise 0

Please help me with this

THanks

Re: How to write a search where if a certain string is found in a log, set Status=1, else Status=0?

woodcock — Thu, 04 Jun 2015 22:40:07 GMT

Like this:

... | eval Status=if(like(_raw, "%connected%"), 1, 0)

Re: How to write a search where if a certain string is found in a log, set Status=1, else Status=0?

svivekananda007 — Thu, 04 Jun 2015 22:46:32 GMT

THis worked. thanks. can you suggest me a way to keep Status=1 until "disconnected" is encountered in a log.

Thanks

Re: How to write a search where if a certain string is found in a log, set Status=1, else Status=0?

kristian_kolb — Fri, 05 Jun 2015 09:47:48 GMT

Define what you mean by "keep"? This evaluation creates a new field on a per-event basis. It is not keeping a state. Remember that a log searching tool is not necessarily the best way for finding out a state, because for whatever timerange you search, you might always miss that important piece of state information that was logged 5 minutes before your search time span...

Re: How to write a search where if a certain string is found in a log, set Status=1, else Status=0?

Nextbeat — Tue, 27 Mar 2018 08:42:19 GMT

This definitely works. It's good to know that % acts like a wildcard for eval statements in Splunk.

Re: How to write a search where if a certain string is found in a log, set Status=1, else Status=0?

timmag — Fri, 06 Apr 2018 10:38:42 GMT

Say suppose, I get those logs every minute. Is there a way where I can create a field where if I get successive '0' in status(More than once), the field would display the status as error?

Re: How to write a search where if a certain string is found in a log, set Status=1, else Status=0?

Nextbeat — Mon, 09 Apr 2018 06:15:38 GMT

| bucket _time span=1m | stats count(eval(like(<field>, "<status%>"))) AS count BY _time | eval <new_field>=if(count > 1, "error", "")

Use the bucket function to view events per minute. Then use stats to count a desired field by a value using the percent sign as a wildcard. The second eval statement creates a new field and looks for counts greater than one. If there are any counts greater than one, "error" will be displayed for that event within the new field. Otherwise, nothing will be displayed for the new field.

Re: How to write a search where if a certain string is found in a log, set Status=1, else Status=0?

garigis — Fri, 11 Jan 2019 21:59:32 GMT

Thanks for this! I've been trying to figure this out for about an hour and tried a bunch of other stuff.

Re: How to write a search where if a certain string is found in a log, set Status=1, else Status=0?

woodcock — Sat, 12 Jan 2019 01:12:55 GMT

Be sure to UpVote!

Re: How to write a search where if a certain string is found in a log, set Status=1, else Status=0?

woodcock — Tue, 18 Jun 2019 16:43:21 GMT

If you are more used to Splunk SPL search syntax, you could do it like this:

 ... | eval Status=if(searchmatch("*connected*"), 1, 0)