Getting Data In

Use the same search for mutiple fields and events?

kdulhan
Explorer

In order to search for the error records, I use :

ns=app1 Service='trigger1' Id!='temp-100' | Search ErrorResponse

Here I get an event like:

timestamp ns=app1 [ErrorResponse] Service='trigger1' id=105 ActNo=1234

Now I have to fetch this ActNo field and search with only ActNo=1234. It will list many events and in those I have to look for a field appId = 'New1'. If New1, I have to add it to a counter1 else counter2.

Thank you!

0 Karma

lguinn2
Legend

You could try something like this

index=whatever [ search ns=app1 Service=trigger1 Id!="temp-100" ErrorResponse | fields ActNo ]
| eval counter1 = if(appId=="New1",1,0)
| eval counter2 = if(appId=="New1",0,1)
| stats sum(counter1) as counter1 sum(counter2) as counter2 by ActNo 

A few tips:

A search like this ns=app1 Service=trigger1 Id!="temp-100" | Search ErrorResponse should always be rewritten as
ns=app1 Service=trigger1 Id!="temp-100" ErrorResponse. Combine as much as possible into a single search.
Splunk uses double-quotes for strings, but even that is not required in the search command if the string has no spaces or special characters.
The search within brackets is called a subsearch. The list of ActNo's from the subsearch will be inserted into the outer search.
Here is more information about subsearches.

0 Karma

kdulhan
Explorer

AppId in the events is displayed with single quotes as appId='New1'

0 Karma

kdulhan
Explorer

appId in the event is displayed as appId=='New1'

0 Karma

kdulhan
Explorer

Sorry it is displayed in event with single quotes as appId='New1'

0 Karma

lguinn2
Legend

oh, nice answer by @Daleanis as well. I could re-write my search as:

 index=whatever [ search ns=app1 Service=trigger1 Id!="temp-100" ErrorResponse | fields ActNo ]
 | stats sum(eval(appId=="New1")) as counter1 sum(eval(appId!="New1")) as counter2 by ActNo 
0 Karma

kdulhan
Explorer

index=l2_idx ns=app1 Service='trigger1' Id!='temp-100 ErrorResponse | fields ActNo | stats sum(eval(appId=="New1")) as counter1 sum(eval(appId!=="New1")) as counter2 by ActNo

Getting error as:
Error in 'stats' command: The eval expression for dynamic field 'eval(appId!=="New1")' is invalid. Error='The expression is malformed. An unexpected character is reached at '="New1"'.

0 Karma

kdulhan
Explorer

appId in the event is displayed as appId=='New1'

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

If I've read you right, it would be something like this...

 timestamp ns=app1 [ErrorResponse] Service='trigger1' id=105 
     [ns=app1 Service='trigger1' Id!='temp-100' | Search ErrorResponse | table ActNo]
 | stats count(eval(appId="New1")) as counter count as bothcounters by ActNo  
 | eval counter2 = bothcounters-counter1

This part ...

         [ns=app1 Service='trigger1' Id!='temp-100' | Search ErrorResponse | table ActNo]

...returns a list of ActNo values in this format...

 ( ( ActNo="firstvalue" ) OR ( ActNo="secondvalue" ) OR ... OR ( ActNo="lastvalue" ) ) 

then this part

 timestamp ns=app1 [ErrorResponse] Service='trigger1' id=105  ( ( Actno=... )

... brings back the records, and this part counts them up ...

 | stats count(eval(appId="New1")) as counter count as bothcounters by ActNo  
 | eval counter2 = bothcounters-counter1
0 Karma

kdulhan
Explorer

Can I have eval and stats count after ActNo as
timestamp ns=app1 [ErrorResponse] Service='trigger1' id=105 [ns=app1 Service='trigger1' Id!='temp-100' | Search ErrorResponse | table ActNo | eval | stats count as "Count1"]

Also I want to check if there are records with that ActNo in the outer search or not. If not, I want to write that ActNo.

Thank you!

0 Karma

kdulhan
Explorer

Thanks.

I get the account no and two counters as counter and bothcounters. But for every account no, it is only bothcounters having value as 1 while counter is always 0 which is not the case with respect to events as they got the some of the AcctNo has the appId as New1 and other's don't.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...