Event alert

Pravinsugi · ‎12-08-2023

i have three events like received message class.if you seee the pic,you will be seeing 3 event for each customer .each event have customerordernumber.i want to check for each and every customer I have all three event message in the splunk log.how to write splunk query for that.

gcusello · ‎12-08-2023

let me understand:

for each customerOrderNumber, you have three Received message classes,
you want to check that's this is true fro each one,

is it correct?

At first, next time, please share your samples in text format to avoid to rewrite all of them.

Then I suppose that you already extracted the two fields customerOrderNumber and Received_message_class, otherwise you have to extract them, but to help you in this I need of your sample logs in text format.

Anyway, you should run something like this:

<your_search>
| stats 
   dc(Received_message_class) AS Received_message_class_count 
   values(Received_message_class) AS Received_message_class
   BY customerOrderNumber 
| eval status=if(Received_message_class_cont=3,"OK","there are only the following Messages: ".Received_message_class
| table customerOrderNumber status

Ciao.

Giuseppe

Event alert

email

Best Strategies to Optimize Observability Costs

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...