All Apps and Add-ons
Highlighted

In a Splunk search query, how do I check to see if a log message has text or not?

Explorer

Hello, I am pretty new to splunk and don't have much knowledge. Please help me

Log Message

message:     2018-09-21T07:15:28,458+0000 comp=hub-lora-ingestor-0 [vert.x-eventloop-thread-0] INFO  com.nsc.iot.hono.receiver.HonoReceiver - Connected successfully, creating telemetry consumer ...

I want to check if message contains "Connected successfully, creating telemetry consumer ..." and based on this want to assign "1" or "0" to a variable.

Splunk search Query

(index="05c48b55-c9aa-4743-aa4b-c0ec618691dd" ("Retry connecting in 1000ms ..." OR "Connect or create consumer failed with exception" OR "Connected successfully, creating telemetry consumer ...")) 
| rex field=_raw ^(?:[^ \n]* ){7}(?P<success_status_message>\w+\s+\w+,\s+\w+\s+\w+\s+\w+)"
| timechart count as status | eval status=if(isnull(success_status_message), 0, 1)

"successstatusmessage" is always null and I'm not sure why. I want to get message in "successstatusmessage" field and check if "successstatusmessage" contains some text value.

Note: regex I generated using Splunk extract field feature

0 Karma
Highlighted

Re: In a Splunk search query, how do I check to see if a log message has text or not?

SplunkTrust
SplunkTrust

@pratapak

If you want to check whether an event contains a perticular string or not then you can u se following search.

| makeresults 
| eval _raw="message:     2018-09-21T07:15:28,458+0000 comp=hub-lora-ingestor-0 [vert.x-eventloop-thread-0] INFO  com.nsc.iot.hono.receiver.HonoReceiver - Connected successfully, creating telemetry consumer ..." 
| eval status=if(like(_raw,"%Connected successfully, creating telemetry consumer%"),1,0)

Search for multiple string matching

| makeresults 
| eval _raw="message:     2018-09-21T07:15:28,458+0000 comp=hub-lora-ingestor-0 [vert.x-eventloop-thread-0] INFO  com.nsc.iot.hono.receiver.HonoReceiver - Connected successfully, creating telemetry consumer ..." 
| eval flag=if(like(_raw,"%Connected successfully, creating telemetry consumer%") 
OR like(_raw,"%Retry connecting in 1000ms ...r%")
OR like(_raw,"%Connect or create consumer failed with exception%"),1,0)   

Check following search also for timechart by success_status_message.

| makeresults 
| eval _raw="message:     2018-09-21T07:15:28,458+0000 comp=hub-lora-ingestor-0 [vert.x-eventloop-thread-0] INFO  com.nsc.iot.hono.receiver.HonoReceiver - Connected successfully, creating telemetry consumer ..." 
| append 
    [| makeresults 
    | eval _raw="message:     2018-09-21T07:15:28,458+0000 comp=hub-lora-ingestor-0 [vert.x-eventloop-thread-0] INFO  com.nsc.iot.hono.receiver.HonoReceiver - Retry connecting in 1000ms ..." 
        ] 
| append 
    [| makeresults 
    | eval _raw="message:     2018-09-21T07:15:28,458+0000 comp=hub-lora-ingestor-0 [vert.x-eventloop-thread-0] INFO  com.nsc.iot.hono.receiver.HonoReceiver - Connect or create consumer failed with exception" 
        ] 
| rex field=_raw "-\s(?<success_status_message>.*)"
| timechart count by success_status_message

try following search

(index="05c48b55-c9aa-4743-aa4b-c0ec618691dd" ("Retry connecting in 1000ms ..." OR "Connect or create consumer failed with exception" OR "Connected successfully, creating telemetry consumer ...")) 
| rex field=_raw "-\s(?<success_status_message>.*)"
| timechart count by success_status_message

Thanks

View solution in original post

Highlighted

Re: In a Splunk search query, how do I check to see if a log message has text or not?

Explorer

@kamlesh_vaghela thanks for the answer. But my scenario is I want to show 1 in chart if my log message contains "Connected successfully, creating telemetry consumer ..." if not would like to show 0.

0 Karma
Highlighted

Re: In a Splunk search query, how do I check to see if a log message has text or not?

SplunkTrust
SplunkTrust

@pratapak

So try this:

| makeresults 
 | eval _raw="message:     2018-09-21T07:15:28,458+0000 comp=hub-lora-ingestor-0 [vert.x-eventloop-thread-0] INFO  com.nsc.iot.hono.receiver.HonoReceiver - Connected successfully, creating telemetry consumer ..." 
 | eval status=if(like(_raw,"%Connected successfully, creating telemetry consumer%"),1,0)

This search will return status filed with 0 and 1 value. If your event contains 'Connected successfully, creating telemetry consumer' then it will return 1 else 0.

Now let me know how you want to display status in your chart. Any sample dataset or example will help a lot.

0 Karma
Highlighted

Re: In a Splunk search query, how do I check to see if a log message has text or not?

Explorer

@kamlesh_vaghela for every 10 mins I want to display connection status on a chart. Status 1 means connection successful and status 0 means connection is unsuccessful

alt text

0 Karma
Highlighted

Re: In a Splunk search query, how do I check to see if a log message has text or not?

Explorer

@kamlesh_vaghela chart something like this https://ibb.co/mO5dxU

0 Karma
Highlighted

Re: In a Splunk search query, how do I check to see if a log message has text or not?

SplunkTrust
SplunkTrust

@pratapak

Try this:

| makeresults 
  | eval _raw="message:     2018-09-21T07:15:28,458+0000 comp=hub-lora-ingestor-0 [vert.x-eventloop-thread-0] INFO  com.nsc.iot.hono.receiver.HonoReceiver - Connected successfully, creating telemetry consumer ..." 
  | eval status=if(like(_raw,"%Connected successfully, creating telemetry consumer%"),1,0) |timechart latest(status) as status span=10m
0 Karma
Highlighted

Re: In a Splunk search query, how do I check to see if a log message has text or not?

SplunkTrust
SplunkTrust

@pratapak

Glad to help you.

0 Karma
Highlighted

Re: In a Splunk search query, how do I check to see if a log message has text or not?

Explorer

@kamlesh_vaghela thanks for the help

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.