Security

How to use eval case match to assign a target and count?

Burndata
Explorer

Hello, I have some log messages like this, where various info is delimited by double-colons:

{"@message":"[\"ERROR :: xService :: xService :: function :: user :: 6c548f2b-4c3c-4aab-8fde-c1a8d727af35 :: device1,device2 :: shared :: groupname :: tcp\"]","@timestamp":"2023-03-20T23:34:05.886Z","@fields":{"@origin":"/dir/stuff/things/and/more/goes/here/file.js:2109","@level":"info"}}

I am trying to send a count per day of the 'function' shown above, and the issue is that it might appear at various block count when the message is split from ' :: ' - So, I am trying to match regex on the UUID and count 2 blocks backwards from there to get the 'function' as a reliable way to extract it.  I have observed the UUID appearing in blocks 5, 6, and 7, so this is an attempt at case for each and assigning a value to get the function.

Am quite new to Splunk queries, but here is my stab at it.  Of course, it doesn't quite work:

index=iap source="/dir/stuff/things/xService.log" "ERROR :: xService ::"
| rex field=@message mode=sed "s/(\[\"|\"\])//g"
| eval tmp = split('@message'," :: ") , check7 = mvindex(tmp,7), check6 = mvindex(tmp,6), check5 = mvindex(tmp,5)
| eval target=case(match(check7,"\w+\-\w+\-\w+\-\w+\-\w+"),7,match(check6,"\w+\-\w+\-\w+\-\w+\-\w+"),6,match(check5,"\w+\-\w+\-\w+\-\w+\-\w+"),5)
| eval function=case(match(target == 7, 5, target == 6, 6, target == 5, 5)
| timechart span=1d count by function limit=0

Tags (5)
0 Karma
1 Solution

Burndata
Explorer

I think this fixed the issues (multiple issues):

Seems to be working now.

index=iap source="/var/log/pronghorn/A10Service.log" "ERROR :: A10Service ::"
| rex field=@message mode=sed "s/(\[\"|\"\])//g"
| eval tmp = split('@message'," :: ") , check7 = mvindex(tmp,7), check6 = mvindex(tmp,6), check5 = mvindex(tmp,5), check4 = mvindex(tmp,4), check3 = mvindex(tmp,3)
| eval target=case(match(check7, "\w+\-\w+\-\w+\-\w+\-\w+"),7 , match(check6,"\w+\-\w+\-\w+\-\w+\-\w+"), 6 ,match(check5,"\w+\-\w+\-\w+\-\w+\-\w+"), 5)
| eval function=case(target == 7, check5, target == 6, check4, target == 5, check3)
| timechart span=1d count by function limit=0

View solution in original post

0 Karma

Burndata
Explorer

I think this fixed the issues (multiple issues):

Seems to be working now.

index=iap source="/var/log/pronghorn/A10Service.log" "ERROR :: A10Service ::"
| rex field=@message mode=sed "s/(\[\"|\"\])//g"
| eval tmp = split('@message'," :: ") , check7 = mvindex(tmp,7), check6 = mvindex(tmp,6), check5 = mvindex(tmp,5), check4 = mvindex(tmp,4), check3 = mvindex(tmp,3)
| eval target=case(match(check7, "\w+\-\w+\-\w+\-\w+\-\w+"),7 , match(check6,"\w+\-\w+\-\w+\-\w+\-\w+"), 6 ,match(check5,"\w+\-\w+\-\w+\-\w+\-\w+"), 5)
| eval function=case(target == 7, check5, target == 6, check4, target == 5, check3)
| timechart span=1d count by function limit=0

0 Karma

Burndata
Explorer

note typo's above - should be target == 7, 5, target == 6, 4, target == 5, 3

0 Karma
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...