Security

How to use eval case match to assign a target and count?

Burndata
Explorer

Hello, I have some log messages like this, where various info is delimited by double-colons:

{"@message":"[\"ERROR :: xService :: xService :: function :: user :: 6c548f2b-4c3c-4aab-8fde-c1a8d727af35 :: device1,device2 :: shared :: groupname :: tcp\"]","@timestamp":"2023-03-20T23:34:05.886Z","@fields":{"@origin":"/dir/stuff/things/and/more/goes/here/file.js:2109","@level":"info"}}

I am trying to send a count per day of the 'function' shown above, and the issue is that it might appear at various block count when the message is split from ' :: ' - So, I am trying to match regex on the UUID and count 2 blocks backwards from there to get the 'function' as a reliable way to extract it.  I have observed the UUID appearing in blocks 5, 6, and 7, so this is an attempt at case for each and assigning a value to get the function.

Am quite new to Splunk queries, but here is my stab at it.  Of course, it doesn't quite work:

index=iap source="/dir/stuff/things/xService.log" "ERROR :: xService ::"
| rex field=@message mode=sed "s/(\[\"|\"\])//g"
| eval tmp = split('@message'," :: ") , check7 = mvindex(tmp,7), check6 = mvindex(tmp,6), check5 = mvindex(tmp,5)
| eval target=case(match(check7,"\w+\-\w+\-\w+\-\w+\-\w+"),7,match(check6,"\w+\-\w+\-\w+\-\w+\-\w+"),6,match(check5,"\w+\-\w+\-\w+\-\w+\-\w+"),5)
| eval function=case(match(target == 7, 5, target == 6, 6, target == 5, 5)
| timechart span=1d count by function limit=0

Labels (1)
Tags (5)
0 Karma
1 Solution

Burndata
Explorer

I think this fixed the issues (multiple issues):

Seems to be working now.

index=iap source="/var/log/pronghorn/A10Service.log" "ERROR :: A10Service ::"
| rex field=@message mode=sed "s/(\[\"|\"\])//g"
| eval tmp = split('@message'," :: ") , check7 = mvindex(tmp,7), check6 = mvindex(tmp,6), check5 = mvindex(tmp,5), check4 = mvindex(tmp,4), check3 = mvindex(tmp,3)
| eval target=case(match(check7, "\w+\-\w+\-\w+\-\w+\-\w+"),7 , match(check6,"\w+\-\w+\-\w+\-\w+\-\w+"), 6 ,match(check5,"\w+\-\w+\-\w+\-\w+\-\w+"), 5)
| eval function=case(target == 7, check5, target == 6, check4, target == 5, check3)
| timechart span=1d count by function limit=0

View solution in original post

0 Karma

Burndata
Explorer

I think this fixed the issues (multiple issues):

Seems to be working now.

index=iap source="/var/log/pronghorn/A10Service.log" "ERROR :: A10Service ::"
| rex field=@message mode=sed "s/(\[\"|\"\])//g"
| eval tmp = split('@message'," :: ") , check7 = mvindex(tmp,7), check6 = mvindex(tmp,6), check5 = mvindex(tmp,5), check4 = mvindex(tmp,4), check3 = mvindex(tmp,3)
| eval target=case(match(check7, "\w+\-\w+\-\w+\-\w+\-\w+"),7 , match(check6,"\w+\-\w+\-\w+\-\w+\-\w+"), 6 ,match(check5,"\w+\-\w+\-\w+\-\w+\-\w+"), 5)
| eval function=case(target == 7, check5, target == 6, check4, target == 5, check3)
| timechart span=1d count by function limit=0

0 Karma

Burndata
Explorer

note typo's above - should be target == 7, 5, target == 6, 4, target == 5, 3

0 Karma
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...