Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Searchmatch

suvi6789
Path Finder
‎08-07-2024 03:12 AM

Hi, 
I have doing a list of different searches and want the count of each searches. 
So, I was using the searchmatch command but when using it I get only the first result that is successfully searches and it ignore the rest

For example:

index="abc" 
| eval JobName= case(
searchmatch("error 1234", Error1),
searchmatch("error 567", Error2),
searchmatch("error 89", Error3)
)
| stats count by JobName

Output says 
Error1 - 234 (234 is the count of error)

though error 2 and error 3 are there, It is not listing in the results. 
Please could you suggest on how to get this sorted

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎08-07-2024 05:34 AM

That's how case works - it returns the value for the first matching condition. If you want to evaluate all conditions, you have to do three separate evals and assign values to three separate fields.

0 Karma
Reply

suvi6789
Path Finder
‎08-07-2024 03:52 AM

Thank you for your response

If I comment the first search
index="abc" 
| eval JobName= case(
```searchmatch("error 1234"), "Error1",```
searchmatch("error 567"), "Error2",
searchmatch("error 89"), "Error3"
)

Now, the result is 
Error2 - 125

0 Karma
Reply

suvi6789
Path Finder
‎08-07-2024 03:48 AM

If I comment 
index="abc" 
| eval JobName= case(
```searchmatch("error 1234"), "Error1",```
searchmatch("error 567"), "Error2",
searchmatch("error 89"), "Error3"
)

Now, the result is 
Error2 - 125

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-07-2024 03:52 AM

Hi @suvi6789 ,

Only for test, please try this:

index="abc" 
| stats 
     count(eval(searchmatch("error 1234"))) AS "Error1"
     count(eval(searchmatch("error 567"))) AS "Error12"
     count(eval(searchmatch("error 89"))) AS "Error3"

the issue is probably on the data, you must analyze them

Ciao.

Giuseppe

0 Karma
Reply

suvi6789
Path Finder
‎08-07-2024 03:43 AM

Thanks for the response
My Bad, the parenthesis are wrong. I have ran the query with the right paranthesis. It was a typo.

index="abc" 
| eval JobName= case(
searchmatch("error 1234"), "Error1",
searchmatch("error 567"), "Error2",
searchmatch("error 89"), "Error3"
)
| stats count by JobName

Output says 
Error1 - 234 (234 is the count of error)

though error 2 and error 3 are there, It is not listing in the results. 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-07-2024 03:46 AM

Hi @suvi6789 ,

the search is correct, are you sure about the strings to search for Error 2 and 3?

Only for debugging, please change the order of searchmatch in the eval.

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-07-2024 03:40 AM

Hi @suvi6789 ,

parenthesis are wrong and if Error1,2 and3 are strings, use quotes:

index="abc" 
| eval JobName= case(
searchmatch("error 1234"), "Error1",
searchmatch("error 567"), "Error2",
searchmatch("error 89"), "Error3"
)
| stats count by JobName
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Search APIを使えば調査過程が残せます

   このゲストブログは、JCOM株式会社の情報セキュリティ本部・専任部長である渡辺慎太郎氏によって執筆されました。 Note: This article is published in both Japanese ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...