Archive

If there are two statements in a log, how to set a custom message if those two statements are existing in one log

Path Finder

Hello All,

Here is my sample data.

"****19:30:06 C:\Pelibib\MBX\20190618193001755_MA07.MBX processed and deleted****
19:30:06 === Step #05 - Calling C:\Pelibib\SEM\AFTER.pl
19:30:06  - Running Program AFTER.pl
19:30:06 PELAP.pl Unable access to server C:\PELIDATA\F05X\REC\F0566811.TXT
19:30:09 BEFORE call C:\Pelint\Server\run_time\tmp\TR601323.BAT
19:30:09 O 601323 PAHKP102 PMGTN901 C:\PELIBIB\STD\EMI\PMGTN901-MA07-MA07AE_2019618.TXT_20190618193001755 MA07-169000398PSG2N802
19:30:09 AFTER call C:\Pelint\Server\run_time\tmp\TR601323.BAT
**19:30:09 O 601323 FILE C:\PELIBIB\STD\EMI\PMGTN901-MA07-MA07AE_2019618.TXT_20190618193001755 sended and deleted** "

My case is:
If two sentences which are below:
19:30:06 C:\Pelibib\MBX\20190618193001755_MA07.MBX processed and deleted
19:30:09 O 601323 FILE C:\PELIBIB\STD\EMI\PMGTN901-MA07-MA07AE2019618.TXT20190618193001755 sended and deleted

If the above two statements are present in one log, then I have to show it as "File Received" and if only processed and deleted sentence there(i.e., 19:30:06 C:\Pelibib\MBX\20190618193001755_MA07.MBX processed and deleted) and there is no sended and deleted sentence in the log, then I have to show it as "File stuck in XYZ folder".
But I am not able to use it properly and not getting any Idea how to use it in splunk.

Please help me with your thoughts.

I have tried like below, but which of no use:

index=idx_rfs7 sourcetype=st_fs7_pelican_logs | regex "FILE\s+C\W+PELIBIB\WSTD\WEMI\W.*\W(?P<AVIEXP_SENT>MA07)\W[A-Z]{2}\d{2}[A-Z]{2}\S\d{6,8}" | stats count as "File_Received" by _time 
| append [search index=idx_rfs7 sourcetype=st_fs7_pelican_logs
| regex "\d{1,2}:\d{1,2}:\d{1,2}\sC\W+Pelibib\WMBX\W\d{16,18}_(?P<AVIEXP_PROCESSED>MA07)\WMBX\sprocessed\sand\sdeleted"
| stats count as "File_Processed" by _time]
| eval Status=if(File_Received=File_Processed, "File Received", "File Stuck in INFERTEXT Folder")

Many Thanks in Advance!!

0 Karma

Explorer

Hi
Please check if this helps..
I have added below line to your file to make sure we proceess both output you are looking for..
19:30:06 C:\Pelibib\MBX\20190618193001754_MA07.MBX processed and deleted
Add index and sourcetype before mentioned query..

| search _raw=*MA07*
| rex field=_raw "\WMBX\W(?\d+)_MA07.MBX\s(?.*)and deleted"
| rex field=_raw "\.TXT_(?\d+)\s(?.*)and deleted"
| stats values(status) as status by file_name
| eval status=mvjoin(status,",")
| search status!=*sended
| eval Result=if(like(status, "%processed ,sended%"), "File_received", "File_stuck_somewhere")

output would look like

filename status Result
20190618193001754 processed File
stucksomewhere
20190618193001755 processed ,sended File
received

0 Karma

Explorer

alt text

Are you looking something like this ? If so just add your index and sourcetype in first line..

0 Karma

Path Finder

Thanks for your response!!

There are lot of "sended and deleted" and "processed and deleted" statements/sentences in my log. I have given only one simple stanza of data.

I have tried with you comments. But it is taking all 4394 events and showing status when there is processed and deleted and sended and deleted.
That is not needed.

The condition is when there are both the statements present which are "processed and deleted" with MA07 code in path, which is file name and "sended and deleted" with MA07 file name then file received. If only "processed and deleted" is present then file stuck somewhere.

For reference please find this, adding one more stanza which is available in log.
Note: there are lot of files like this but only MA07 need to be checked.

19:20:11 C:\Pelibib\MBX\20190618192001754_MA09.MBX processed and deleted
19:20:11 === Step #05 - Calling C:\Pelibib\SEM\AFTER.pl
19:20:11  - Running Program AFTER.pl
19:20:11 PELAP.pl Unable access to server C:\PELIDATA\F05X\REC\F0566811.TXT
19:20:12 PELAP.pl Unable access to server C:\PELIDATA\MC25\REC\F0575784.TXT
19:20:12 PELAP.pl Unable access to server C:\PELIDATA\MC24\REC\F0586633.TXT
19:20:12 PELAP.pl Unable access to server C:\PELIDATA\MC28\REC\F0586634.TXT
19:20:12 PELAP.pl Unable access to server C:\PELIDATA\MC24\REC\F0586635.TXT
19:20:12 PELAP.pl Unable access to server C:\PELIDATA\MC28\REC\F0586636.TXT
19:20:12 PELAP.pl Unable access to server C:\PELIDATA\MC25\REC\F0586637.TXT
19:20:12 PELAP.pl Unable access to server C:\PELIDATA\MC30\REC\F0586638.TXT
19:20:13 PELAP.pl Unable access to server C:\PELIDATA\MB97\REC\F0586639.TXT
19:20:13 PELAP.pl Copy file C:\PELIBIB\STD\RECEP\F0601320 on C:\PELIDATA\F05X\REC\F0601320.TXT
19:20:15 === Step #06 - Calling C:\Pelibib\UTI\SCANNEREXIT.pl C:\Pelibib\LOGSCANNER\20190618.LOG
19:20:16 === Step #07 - PSG2N802 End of Pelsem.bat ***
19:20:16 Step #4 - PSG2N802 End of Pelsem.bat ***
19:20:28 BEFORE call C:\Pelint\Server\run_time\tmp\TR601322.BAT
19:20:28 O 601322 PAHKP102 PMGTN901 C:\PELIBIB\STD\EMI\PMGTN901-MA09-MA09JPJDE_AL20190618.TXT_20190618192001754 MA09-169000397PSG2N802
19:20:28 AFTER call C:\Pelint\Server\run_time\tmp\TR601322.BAT
19:20:28 O 601322 FILE C:\PELIBIB\STD\EMI\PMGTN901-MA09-MA09JPJDE_AL20190618.TXT_20190618192001754 sended and deleted
19:20:29 le fichier STDOUT=c:\pelint\server\run_time\tmp\XPR601322.out
*---------------------------------------------------------------------**
------------------
19:30:05 POST -bd "" PMGTN901 MA07 C:\PELIBIB\STD\EMI\PMGTN901-MA07-2019618.TXT_20190618193001755 PAHKP102 "LFI16P_AE" ""
19:30:06 C:\Pelibib\MBX\20190618193001755_MA07.MBX processed and deleted
19:30:06 === Step #05 - Calling C:\Pelibib\SEM\AFTER.pl
19:30:06  - Running Program AFTER.pl
19:30:06 PELAP.pl Unable access to server C:\PELIDATA\F05X\REC\F0566811.TXT
19:30:07 PELAP.pl Unable access to server C:\PELIDATA\MC25\REC\F0575784.TXT
19:30:07 PELAP.pl Unable access to server C:\PELIDATA\MC24\REC\F0586633.TXT
19:30:07 PELAP.pl Unable access to server C:\PELIDATA\MC25\REC\F0586637.TXT
19:30:07 PELAP.pl Unable access to server C:\PELIDATA\MC30\REC\F0586638.TXT
19:30:07 PELAP.pl Unable access to server C:\PELIDATA\MB97\REC\F0586639.TXT
19:30:09 BEFORE call C:\Pelint\Server\run_time\tmp\TR601323.BAT
19:30:09 O 601323 PAHKP102 PMGTN901 C:\PELIBIB\STD\EMI\PMGTN901-
19:30:09 O 601323 TRTTAB.pl MA07 PAHKP102  2 => CALL EXITS\E_XXXX_E.CMD
19:30:09 AFTER call C:\Pelint\Server\run_time\tmp\TR601323.BAT
19:30:09 O 601323 FILE C:\PELIBIB\STD\EMI\PMGTN901-MA07-MA07AE_2019618.TXT_20190618193001755 sended and deleted

Thanks

0 Karma

Esteemed Legend

Like this:

index=idx_rfs7 sourcetype=st_fs7_pelican_logs
| regex "FILE\s+C\W+PELIBIB\WSTD\WEMI\W.*\W(?<AVIEXP_SENT>MA07)\W[A-Z]{2}\d{2}[A-Z]{2}\S\d{6,8}"
| regex "\d{1,2}:\d{1,2}:\d{1,2}\sC\W+Pelibib\WMBX\W\d{16,18}_(?<AVIEXP_PROCESSED>MA07)\WMBX\sprocessed\sand\sdeleted"
| stats count(eval(AVIEXP_SENT)) AS received count(eval(AVIEXP_PROCESSED)) AS processed BY source
| where received != processed
0 Karma