Getting Data In

Use the same search for mutiple fields and events?

kdulhan
Explorer

In order to search for the error records, I use :

ns=app1 Service='trigger1' Id!='temp-100' | Search ErrorResponse

Here I get an event like:

timestamp ns=app1 [ErrorResponse] Service='trigger1' id=105 ActNo=1234

Now I have to fetch this ActNo field and search with only ActNo=1234. It will list many events and in those I have to look for a field appId = 'New1'. If New1, I have to add it to a counter1 else counter2.

Thank you!

0 Karma

lguinn2
Legend

You could try something like this

index=whatever [ search ns=app1 Service=trigger1 Id!="temp-100" ErrorResponse | fields ActNo ]
| eval counter1 = if(appId=="New1",1,0)
| eval counter2 = if(appId=="New1",0,1)
| stats sum(counter1) as counter1 sum(counter2) as counter2 by ActNo 

A few tips:

A search like this ns=app1 Service=trigger1 Id!="temp-100" | Search ErrorResponse should always be rewritten as
ns=app1 Service=trigger1 Id!="temp-100" ErrorResponse. Combine as much as possible into a single search.
Splunk uses double-quotes for strings, but even that is not required in the search command if the string has no spaces or special characters.
The search within brackets is called a subsearch. The list of ActNo's from the subsearch will be inserted into the outer search.
Here is more information about subsearches.

0 Karma

kdulhan
Explorer

AppId in the events is displayed with single quotes as appId='New1'

0 Karma

kdulhan
Explorer

appId in the event is displayed as appId=='New1'

0 Karma

kdulhan
Explorer

Sorry it is displayed in event with single quotes as appId='New1'

0 Karma

lguinn2
Legend

oh, nice answer by @Daleanis as well. I could re-write my search as:

 index=whatever [ search ns=app1 Service=trigger1 Id!="temp-100" ErrorResponse | fields ActNo ]
 | stats sum(eval(appId=="New1")) as counter1 sum(eval(appId!="New1")) as counter2 by ActNo 
0 Karma

kdulhan
Explorer

index=l2_idx ns=app1 Service='trigger1' Id!='temp-100 ErrorResponse | fields ActNo | stats sum(eval(appId=="New1")) as counter1 sum(eval(appId!=="New1")) as counter2 by ActNo

Getting error as:
Error in 'stats' command: The eval expression for dynamic field 'eval(appId!=="New1")' is invalid. Error='The expression is malformed. An unexpected character is reached at '="New1"'.

0 Karma

kdulhan
Explorer

appId in the event is displayed as appId=='New1'

0 Karma

DalJeanis
Legend

If I've read you right, it would be something like this...

 timestamp ns=app1 [ErrorResponse] Service='trigger1' id=105 
     [ns=app1 Service='trigger1' Id!='temp-100' | Search ErrorResponse | table ActNo]
 | stats count(eval(appId="New1")) as counter count as bothcounters by ActNo  
 | eval counter2 = bothcounters-counter1

This part ...

         [ns=app1 Service='trigger1' Id!='temp-100' | Search ErrorResponse | table ActNo]

...returns a list of ActNo values in this format...

 ( ( ActNo="firstvalue" ) OR ( ActNo="secondvalue" ) OR ... OR ( ActNo="lastvalue" ) ) 

then this part

 timestamp ns=app1 [ErrorResponse] Service='trigger1' id=105  ( ( Actno=... )

... brings back the records, and this part counts them up ...

 | stats count(eval(appId="New1")) as counter count as bothcounters by ActNo  
 | eval counter2 = bothcounters-counter1
0 Karma

kdulhan
Explorer

Can I have eval and stats count after ActNo as
timestamp ns=app1 [ErrorResponse] Service='trigger1' id=105 [ns=app1 Service='trigger1' Id!='temp-100' | Search ErrorResponse | table ActNo | eval | stats count as "Count1"]

Also I want to check if there are records with that ActNo in the outer search or not. If not, I want to write that ActNo.

Thank you!

0 Karma

kdulhan
Explorer

Thanks.

I get the account no and two counters as counter and bothcounters. But for every account no, it is only bothcounters having value as 1 while counter is always 0 which is not the case with respect to events as they got the some of the AcctNo has the appId as New1 and other's don't.

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...