All Apps and Add-ons

In a Splunk search query, how do I check to see if a log message has text or not?

pratapak
Explorer

Hello, I am pretty new to splunk and don't have much knowledge. Please help me

Log Message

message:     2018-09-21T07:15:28,458+0000 comp=hub-lora-ingestor-0 [vert.x-eventloop-thread-0] INFO  com.nsc.iot.hono.receiver.HonoReceiver - Connected successfully, creating telemetry consumer ...

I want to check if message contains "Connected successfully, creating telemetry consumer ..." and based on this want to assign "1" or "0" to a variable.

Splunk search Query

(index="05c48b55-c9aa-4743-aa4b-c0ec618691dd" ("Retry connecting in 1000ms ..." OR "Connect or create consumer failed with exception" OR "Connected successfully, creating telemetry consumer ...")) 
| rex field=_raw ^(?:[^ \n]* ){7}(?P<success_status_message>\w+\s+\w+,\s+\w+\s+\w+\s+\w+)"
| timechart count as status | eval status=if(isnull(success_status_message), 0, 1)

"success_status_message" is always null and I'm not sure why. I want to get message in "success_status_message" field and check if "success_status_message" contains some text value.

Note: regex I generated using Splunk extract field feature

0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

@pratapak

If you want to check whether an event contains a perticular string or not then you can u se following search.

| makeresults 
| eval _raw="message:     2018-09-21T07:15:28,458+0000 comp=hub-lora-ingestor-0 [vert.x-eventloop-thread-0] INFO  com.nsc.iot.hono.receiver.HonoReceiver - Connected successfully, creating telemetry consumer ..." 
| eval status=if(like(_raw,"%Connected successfully, creating telemetry consumer%"),1,0)

Search for multiple string matching

| makeresults 
| eval _raw="message:     2018-09-21T07:15:28,458+0000 comp=hub-lora-ingestor-0 [vert.x-eventloop-thread-0] INFO  com.nsc.iot.hono.receiver.HonoReceiver - Connected successfully, creating telemetry consumer ..." 
| eval flag=if(like(_raw,"%Connected successfully, creating telemetry consumer%") 
OR like(_raw,"%Retry connecting in 1000ms ...r%")
OR like(_raw,"%Connect or create consumer failed with exception%"),1,0)   

Check following search also for timechart by success_status_message.

| makeresults 
| eval _raw="message:     2018-09-21T07:15:28,458+0000 comp=hub-lora-ingestor-0 [vert.x-eventloop-thread-0] INFO  com.nsc.iot.hono.receiver.HonoReceiver - Connected successfully, creating telemetry consumer ..." 
| append 
    [| makeresults 
    | eval _raw="message:     2018-09-21T07:15:28,458+0000 comp=hub-lora-ingestor-0 [vert.x-eventloop-thread-0] INFO  com.nsc.iot.hono.receiver.HonoReceiver - Retry connecting in 1000ms ..." 
        ] 
| append 
    [| makeresults 
    | eval _raw="message:     2018-09-21T07:15:28,458+0000 comp=hub-lora-ingestor-0 [vert.x-eventloop-thread-0] INFO  com.nsc.iot.hono.receiver.HonoReceiver - Connect or create consumer failed with exception" 
        ] 
| rex field=_raw "-\s(?<success_status_message>.*)"
| timechart count by success_status_message

try following search

(index="05c48b55-c9aa-4743-aa4b-c0ec618691dd" ("Retry connecting in 1000ms ..." OR "Connect or create consumer failed with exception" OR "Connected successfully, creating telemetry consumer ...")) 
| rex field=_raw "-\s(?<success_status_message>.*)"
| timechart count by success_status_message

Thanks

View solution in original post

kamlesh_vaghela
SplunkTrust
SplunkTrust

@pratapak

If you want to check whether an event contains a perticular string or not then you can u se following search.

| makeresults 
| eval _raw="message:     2018-09-21T07:15:28,458+0000 comp=hub-lora-ingestor-0 [vert.x-eventloop-thread-0] INFO  com.nsc.iot.hono.receiver.HonoReceiver - Connected successfully, creating telemetry consumer ..." 
| eval status=if(like(_raw,"%Connected successfully, creating telemetry consumer%"),1,0)

Search for multiple string matching

| makeresults 
| eval _raw="message:     2018-09-21T07:15:28,458+0000 comp=hub-lora-ingestor-0 [vert.x-eventloop-thread-0] INFO  com.nsc.iot.hono.receiver.HonoReceiver - Connected successfully, creating telemetry consumer ..." 
| eval flag=if(like(_raw,"%Connected successfully, creating telemetry consumer%") 
OR like(_raw,"%Retry connecting in 1000ms ...r%")
OR like(_raw,"%Connect or create consumer failed with exception%"),1,0)   

Check following search also for timechart by success_status_message.

| makeresults 
| eval _raw="message:     2018-09-21T07:15:28,458+0000 comp=hub-lora-ingestor-0 [vert.x-eventloop-thread-0] INFO  com.nsc.iot.hono.receiver.HonoReceiver - Connected successfully, creating telemetry consumer ..." 
| append 
    [| makeresults 
    | eval _raw="message:     2018-09-21T07:15:28,458+0000 comp=hub-lora-ingestor-0 [vert.x-eventloop-thread-0] INFO  com.nsc.iot.hono.receiver.HonoReceiver - Retry connecting in 1000ms ..." 
        ] 
| append 
    [| makeresults 
    | eval _raw="message:     2018-09-21T07:15:28,458+0000 comp=hub-lora-ingestor-0 [vert.x-eventloop-thread-0] INFO  com.nsc.iot.hono.receiver.HonoReceiver - Connect or create consumer failed with exception" 
        ] 
| rex field=_raw "-\s(?<success_status_message>.*)"
| timechart count by success_status_message

try following search

(index="05c48b55-c9aa-4743-aa4b-c0ec618691dd" ("Retry connecting in 1000ms ..." OR "Connect or create consumer failed with exception" OR "Connected successfully, creating telemetry consumer ...")) 
| rex field=_raw "-\s(?<success_status_message>.*)"
| timechart count by success_status_message

Thanks

pratapak
Explorer

@kamlesh_vaghela thanks for the answer. But my scenario is I want to show 1 in chart if my log message contains "Connected successfully, creating telemetry consumer ..." if not would like to show 0.

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@pratapak

So try this:

| makeresults 
 | eval _raw="message:     2018-09-21T07:15:28,458+0000 comp=hub-lora-ingestor-0 [vert.x-eventloop-thread-0] INFO  com.nsc.iot.hono.receiver.HonoReceiver - Connected successfully, creating telemetry consumer ..." 
 | eval status=if(like(_raw,"%Connected successfully, creating telemetry consumer%"),1,0)

This search will return status filed with 0 and 1 value. If your event contains 'Connected successfully, creating telemetry consumer' then it will return 1 else 0.

Now let me know how you want to display status in your chart. Any sample dataset or example will help a lot.

0 Karma

pratapak
Explorer

@kamlesh_vaghela for every 10 mins I want to display connection status on a chart. Status 1 means connection successful and status 0 means connection is unsuccessful

alt text

0 Karma

pratapak
Explorer

@kamlesh_vaghela chart something like this https://ibb.co/mO5dxU

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@pratapak

Try this:

| makeresults 
  | eval _raw="message:     2018-09-21T07:15:28,458+0000 comp=hub-lora-ingestor-0 [vert.x-eventloop-thread-0] INFO  com.nsc.iot.hono.receiver.HonoReceiver - Connected successfully, creating telemetry consumer ..." 
  | eval status=if(like(_raw,"%Connected successfully, creating telemetry consumer%"),1,0) |timechart latest(status) as status span=10m
0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@pratapak

Glad to help you.

0 Karma

pratapak
Explorer

@kamlesh_vaghela thanks for the help

0 Karma
Get Updates on the Splunk Community!

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Avoid Certificate Expiry Issues in Splunk Enterprise with Certificate Assist

This blog post is part 2 of 4 of a series on Splunk Assist. Click the links below to see the other ...

Using Machine Learning for Hunting Security Threats

REGISTER NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more ...