Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Security
- :
- How to use eval case match to assign a target and ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, I have some log messages like this, where various info is delimited by double-colons:
{"@message":"[\"ERROR :: xService :: xService :: function :: user :: 6c548f2b-4c3c-4aab-8fde-c1a8d727af35 :: device1,device2 :: shared :: groupname :: tcp\"]","@timestamp":"2023-03-20T23:34:05.886Z","@fields":{"@origin":"/dir/stuff/things/and/more/goes/here/file.js:2109","@level":"info"}}
I am trying to send a count per day of the 'function' shown above, and the issue is that it might appear at various block count when the message is split from ' :: ' - So, I am trying to match regex on the UUID and count 2 blocks backwards from there to get the 'function' as a reliable way to extract it. I have observed the UUID appearing in blocks 5, 6, and 7, so this is an attempt at case for each and assigning a value to get the function.
Am quite new to Splunk queries, but here is my stab at it. Of course, it doesn't quite work:
index=iap source="/dir/stuff/things/xService.log" "ERROR :: xService ::"
| rex field=@message mode=sed "s/(\[\"|\"\])//g"
| eval tmp = split('@message'," :: ") , check7 = mvindex(tmp,7), check6 = mvindex(tmp,6), check5 = mvindex(tmp,5)
| eval target=case(match(check7,"\w+\-\w+\-\w+\-\w+\-\w+"),7,match(check6,"\w+\-\w+\-\w+\-\w+\-\w+"),6,match(check5,"\w+\-\w+\-\w+\-\w+\-\w+"),5)
| eval function=case(match(target == 7, 5, target == 6, 6, target == 5, 5)
| timechart span=1d count by function limit=0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think this fixed the issues (multiple issues):
Seems to be working now.
index=iap source="/var/log/pronghorn/A10Service.log" "ERROR :: A10Service ::"
| rex field=@message mode=sed "s/(\[\"|\"\])//g"
| eval tmp = split('@message'," :: ") , check7 = mvindex(tmp,7), check6 = mvindex(tmp,6), check5 = mvindex(tmp,5), check4 = mvindex(tmp,4), check3 = mvindex(tmp,3)
| eval target=case(match(check7, "\w+\-\w+\-\w+\-\w+\-\w+"),7 , match(check6,"\w+\-\w+\-\w+\-\w+\-\w+"), 6 ,match(check5,"\w+\-\w+\-\w+\-\w+\-\w+"), 5)
| eval function=case(target == 7, check5, target == 6, check4, target == 5, check3)
| timechart span=1d count by function limit=0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think this fixed the issues (multiple issues):
Seems to be working now.
index=iap source="/var/log/pronghorn/A10Service.log" "ERROR :: A10Service ::"
| rex field=@message mode=sed "s/(\[\"|\"\])//g"
| eval tmp = split('@message'," :: ") , check7 = mvindex(tmp,7), check6 = mvindex(tmp,6), check5 = mvindex(tmp,5), check4 = mvindex(tmp,4), check3 = mvindex(tmp,3)
| eval target=case(match(check7, "\w+\-\w+\-\w+\-\w+\-\w+"),7 , match(check6,"\w+\-\w+\-\w+\-\w+\-\w+"), 6 ,match(check5,"\w+\-\w+\-\w+\-\w+\-\w+"), 5)
| eval function=case(target == 7, check5, target == 6, check4, target == 5, check3)
| timechart span=1d count by function limit=0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
note typo's above - should be target == 7, 5, target == 6, 4, target == 5, 3
Index This | When is October more than just the tenth month?
Observe and Secure All Apps with Splunk
What’s New & Next in Splunk SOAR
