Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to show true keyword and green tick on publish of any events

aditsss
Motivator
‎08-26-2023 10:34 PM

Hi Team,

I have below query:

index="600000304_d_gridgain_idx*" sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully"

I want a true keyword and a green tick every time I receive this  "ReadFileImpl - ebnc event balanced successfully"

Something like this:

"ReadFileImpl - ebnc event balanced successfully"       true              tick mark

If this appears "ReadFileImpl - ebnc event balanced successfully" 8 times in a day I want each statement separate with a true keyword and green tick.

Can someone guide me here.

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-28-2023 01:30 AM

Hi @aditsss,

let me understand: you want a table where each row contains only: "ebnc event balanced successfully! and "True"?

in this case, you can use:

index="600000304_d_gridgain_idx*" sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" 
| eval keyword=if(searchmatch("ReadFileImpl - ebnc event balanced successfully"),"True","False")
| eval phrase="ReadFileImpl - ebnc event balanced successfully"
| table phrase keyword

then, if you want, you could add other fields to the table command (e.g. _time).

Ciao.

Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎08-27-2023 12:03 PM

That sounds kinda pointless. You're searching for this text so it's only natural that you find this text. There is no way for your search to match events which do not have this text.

What is the purpose of this exercise then?

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-27-2023 01:31 AM

Hi @aditsss,

to add the "True" keyword it's easy, you have only to use the eval command with the option "searchmatch" (https://docs.splunk.com/Documentation/Splunk/9.1.0/SearchReference/ConditionalFunctions#searchmatch....), in this way:

 

index="600000304_d_gridgain_idx*" sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully"
| eval keyword=if(searchmatch("ReadFileImpl - ebnc event balanced successfully","True","")

 

Even if, putting the string "ReadFileImpl - ebnc event balanced successfully"  in the main search, al the events you have as results are "true" by definition and you don' have events without the true keyword.

For the green tick is less easy because you have to use a JS and a CSS, you should see in the Splunk Dashboard Examples App (https://splunkbase.splunk.com/app/1603) where you can find the "Table Icon Set (Rangemap)" dashboard example that has this feature and gives you the JS and the CSS.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

aditsss
Motivator
‎08-27-2023 10:46 AM

@gcusello 

I am getting below error by using below query:

index="600000304_d_gridgain_idx*" sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully"
| eval keyword=if(searchmatch("ReadFileImpl - ebnc event balanced successfully","True","")

 

Error in 'EvalCommand': The arguments to the 'searchmatch' function are invalid.

Could you please guide.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-28-2023 12:27 AM

Hi @aditsss.

sorry I forgot a parenthesis:

index="600000304_d_gridgain_idx*" sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully"
| eval keyword=if(searchmatch("ReadFileImpl - ebnc event balanced successfully"),"True","")

 Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

aditsss
Motivator
‎08-28-2023 01:03 AM

@gcusello 

How can I make below query as statistics

index="600000304_d_gridgain_idx*" sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully"
| eval keyword=if(searchmatch("ReadFileImpl - ebnc event balanced successfully"),"True","")

Like this :

ebnc event balanced successfully               True

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-28-2023 01:19 AM

Hi @aditsss,

when you found th events, you can use the stats command:

index="600000304_d_gridgain_idx*" sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully"
| eval keyword=if(searchmatch("ReadFileImpl - ebnc event balanced successfully"),"True","")
| stats count

but, as I said, if you put the keyword in the main search, all the results are true, so you need only the count of events, so you could semplify your search:

index="600000304_d_gridgain_idx*" sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully"
| stats count

It's different if you want to count the occurrences of the string and also the other events, but you have to modify the main search:

index="600000304_d_gridgain_idx*" sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" 
| eval keyword=if(searchmatch("ReadFileImpl - ebnc event balanced successfully"),"True","False")
| stats count BY keyword

 Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

aditsss
Motivator
‎08-28-2023 01:24 AM

@gcusello 

I dont want count

I want like this:

ebnc event balanced successfully                                  True

ebnc event balanced successfully                                   True

ebnc event balanced successfully                                   True

means whenever "ebnc event balanced successfully" occur TRUE keyword should be there.

 

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-28-2023 01:30 AM

Hi @aditsss,

let me understand: you want a table where each row contains only: "ebnc event balanced successfully! and "True"?

in this case, you can use:

index="600000304_d_gridgain_idx*" sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" 
| eval keyword=if(searchmatch("ReadFileImpl - ebnc event balanced successfully"),"True","False")
| eval phrase="ReadFileImpl - ebnc event balanced successfully"
| table phrase keyword

then, if you want, you could add other fields to the table command (e.g. _time).

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-28-2023 03:19 AM

Hi @aditsss,

 good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma
Reply
Solved! Jump to solution

aditsss
Motivator
‎08-27-2023 01:20 PM

@PickleRick 

This is requirement that when ebnc event balanced come there should be TRUE keyword to make it sure this happen.

Could you please guide regarding query. 

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎08-27-2023 02:54 PM

Ok, but if there is no such event, you will not have anything in your results. So just adding a static "true" to every returned row of results seems silly. The events don't change as such.

0 Karma
Reply
Solved! Jump to solution

aditsss
Motivator
‎08-27-2023 03:01 PM

@PickleRick 

This is only requirement

@PickleRick @gcusello  could you please guide me with the query I post.

 

I want like this

Ebnc events successfully balanced.       True

Whenever this "ebnc events successfully balanced" there should be true keyword.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...