Solved: Re: In a Splunk search query, how do I check to s...

pratapak · ‎09-21-2018

Hello, I am pretty new to splunk and don't have much knowledge. Please help me

Log Message

message:     2018-09-21T07:15:28,458+0000 comp=hub-lora-ingestor-0 [vert.x-eventloop-thread-0] INFO  com.nsc.iot.hono.receiver.HonoReceiver - Connected successfully, creating telemetry consumer ...

I want to check if message contains "Connected successfully, creating telemetry consumer ..." and based on this want to assign "1" or "0" to a variable.

Splunk search Query

(index="05c48b55-c9aa-4743-aa4b-c0ec618691dd" ("Retry connecting in 1000ms ..." OR "Connect or create consumer failed with exception" OR "Connected successfully, creating telemetry consumer ...")) 
| rex field=_raw ^(?:[^ \n]* ){7}(?P<success_status_message>\w+\s+\w+,\s+\w+\s+\w+\s+\w+)"
| timechart count as status | eval status=if(isnull(success_status_message), 0, 1)

"success_status_message" is always null and I'm not sure why. I want to get message in "success_status_message" field and check if "success_status_message" contains some text value.

Note: regex I generated using Splunk extract field feature

kamlesh_vaghela · ‎09-22-2018

@pratapak

If you want to check whether an event contains a perticular string or not then you can u se following search.

| makeresults 
| eval _raw="message:     2018-09-21T07:15:28,458+0000 comp=hub-lora-ingestor-0 [vert.x-eventloop-thread-0] INFO  com.nsc.iot.hono.receiver.HonoReceiver - Connected successfully, creating telemetry consumer ..." 
| eval status=if(like(_raw,"%Connected successfully, creating telemetry consumer%"),1,0)

Search for multiple string matching

| makeresults 
| eval _raw="message:     2018-09-21T07:15:28,458+0000 comp=hub-lora-ingestor-0 [vert.x-eventloop-thread-0] INFO  com.nsc.iot.hono.receiver.HonoReceiver - Connected successfully, creating telemetry consumer ..." 
| eval flag=if(like(_raw,"%Connected successfully, creating telemetry consumer%") 
OR like(_raw,"%Retry connecting in 1000ms ...r%")
OR like(_raw,"%Connect or create consumer failed with exception%"),1,0)

Check following search also for timechart by success_status_message.

| makeresults 
| eval _raw="message:     2018-09-21T07:15:28,458+0000 comp=hub-lora-ingestor-0 [vert.x-eventloop-thread-0] INFO  com.nsc.iot.hono.receiver.HonoReceiver - Connected successfully, creating telemetry consumer ..." 
| append 
    [| makeresults 
    | eval _raw="message:     2018-09-21T07:15:28,458+0000 comp=hub-lora-ingestor-0 [vert.x-eventloop-thread-0] INFO  com.nsc.iot.hono.receiver.HonoReceiver - Retry connecting in 1000ms ..." 
        ] 
| append 
    [| makeresults 
    | eval _raw="message:     2018-09-21T07:15:28,458+0000 comp=hub-lora-ingestor-0 [vert.x-eventloop-thread-0] INFO  com.nsc.iot.hono.receiver.HonoReceiver - Connect or create consumer failed with exception" 
        ] 
| rex field=_raw "-\s(?<success_status_message>.*)"
| timechart count by success_status_message

try following search

(index="05c48b55-c9aa-4743-aa4b-c0ec618691dd" ("Retry connecting in 1000ms ..." OR "Connect or create consumer failed with exception" OR "Connected successfully, creating telemetry consumer ...")) 
| rex field=_raw "-\s(?<success_status_message>.*)"
| timechart count by success_status_message

Thanks

View solution in original post

kamlesh_vaghela · ‎09-22-2018

@pratapak

If you want to check whether an event contains a perticular string or not then you can u se following search.

| makeresults 
| eval _raw="message:     2018-09-21T07:15:28,458+0000 comp=hub-lora-ingestor-0 [vert.x-eventloop-thread-0] INFO  com.nsc.iot.hono.receiver.HonoReceiver - Connected successfully, creating telemetry consumer ..." 
| eval status=if(like(_raw,"%Connected successfully, creating telemetry consumer%"),1,0)

Search for multiple string matching

| makeresults 
| eval _raw="message:     2018-09-21T07:15:28,458+0000 comp=hub-lora-ingestor-0 [vert.x-eventloop-thread-0] INFO  com.nsc.iot.hono.receiver.HonoReceiver - Connected successfully, creating telemetry consumer ..." 
| eval flag=if(like(_raw,"%Connected successfully, creating telemetry consumer%") 
OR like(_raw,"%Retry connecting in 1000ms ...r%")
OR like(_raw,"%Connect or create consumer failed with exception%"),1,0)

Check following search also for timechart by success_status_message.

| makeresults 
| eval _raw="message:     2018-09-21T07:15:28,458+0000 comp=hub-lora-ingestor-0 [vert.x-eventloop-thread-0] INFO  com.nsc.iot.hono.receiver.HonoReceiver - Connected successfully, creating telemetry consumer ..." 
| append 
    [| makeresults 
    | eval _raw="message:     2018-09-21T07:15:28,458+0000 comp=hub-lora-ingestor-0 [vert.x-eventloop-thread-0] INFO  com.nsc.iot.hono.receiver.HonoReceiver - Retry connecting in 1000ms ..." 
        ] 
| append 
    [| makeresults 
    | eval _raw="message:     2018-09-21T07:15:28,458+0000 comp=hub-lora-ingestor-0 [vert.x-eventloop-thread-0] INFO  com.nsc.iot.hono.receiver.HonoReceiver - Connect or create consumer failed with exception" 
        ] 
| rex field=_raw "-\s(?<success_status_message>.*)"
| timechart count by success_status_message

try following search

(index="05c48b55-c9aa-4743-aa4b-c0ec618691dd" ("Retry connecting in 1000ms ..." OR "Connect or create consumer failed with exception" OR "Connected successfully, creating telemetry consumer ...")) 
| rex field=_raw "-\s(?<success_status_message>.*)"
| timechart count by success_status_message

Thanks

pratapak · ‎09-22-2018

@kamlesh_vaghela thanks for the answer. But my scenario is I want to show 1 in chart if my log message contains "Connected successfully, creating telemetry consumer ..." if not would like to show 0.

kamlesh_vaghela · ‎09-22-2018

@pratapak

So try this:

| makeresults 
 | eval _raw="message:     2018-09-21T07:15:28,458+0000 comp=hub-lora-ingestor-0 [vert.x-eventloop-thread-0] INFO  com.nsc.iot.hono.receiver.HonoReceiver - Connected successfully, creating telemetry consumer ..." 
 | eval status=if(like(_raw,"%Connected successfully, creating telemetry consumer%"),1,0)

This search will return status filed with 0 and 1 value. If your event contains 'Connected successfully, creating telemetry consumer' then it will return 1 else 0.

Now let me know how you want to display status in your chart. Any sample dataset or example will help a lot.

pratapak · ‎09-22-2018

@kamlesh_vaghela for every 10 mins I want to display connection status on a chart. Status 1 means connection successful and status 0 means connection is unsuccessful

pratapak · ‎09-22-2018

@kamlesh_vaghela chart something like this https://ibb.co/mO5dxU

kamlesh_vaghela · ‎09-22-2018

@pratapak

Try this:

| makeresults 
  | eval _raw="message:     2018-09-21T07:15:28,458+0000 comp=hub-lora-ingestor-0 [vert.x-eventloop-thread-0] INFO  com.nsc.iot.hono.receiver.HonoReceiver - Connected successfully, creating telemetry consumer ..." 
  | eval status=if(like(_raw,"%Connected successfully, creating telemetry consumer%"),1,0) |timechart latest(status) as status span=10m

kamlesh_vaghela · ‎09-22-2018

@pratapak

Glad to help you.

pratapak · ‎09-22-2018

@kamlesh_vaghela thanks for the help

In a Splunk search query, how do I check to see if a log message has text or not?

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!