Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Blind mask with eval

dabroma5
Explorer
‎06-28-2021 03:21 AM

Hi, 

I would like to count how many times "Booking failed with 1 source conflict and 1 destination conflict" message occurs in the log. 

 

index="xx" OR index=main host="xxx" "booking failed" source="/opt/ipath/log/main.log" NOT update NOT Details  
 | eval Reason = case( bookname="failed with 1 source conflict and 1 destination conflict\"", "Booking failed with 1 source conflict and 1 destination conflict" )
| stats  count by Reason

 

 

old logline:

 

"2021-05-11 13:59:39,615 backend_7.20.47: INFO services/PathManagerService(backend): Booking failed with 1 source conflict and 1 destination conflict"

 

 

new logline:

"2021-06-27 14:24:33,513 backend_8.20.26: INFO vip.service.PathManagerService Booking failed with 1 source conflict and 1 destination conflict [1930711-4]"

After the system upgrade, I don't know how to ignore [1930711-4] part.

Labels (2)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎06-28-2021 03:41 AM

@dabroma5 

Can you please try this for your both logs?

index="xx" OR index=main host="xxx" "booking failed" source="/opt/ipath/log/main.log" NOT update NOT Details  
 | eval Reason = case( like(bookname,"failed with 1 source conflict and 1 destination conflict%\""), "Booking failed with 1 source conflict and 1 destination conflict")
| stats  count by Reason

 

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-28-2021 03:46 AM

There are a number of ways to do this, here is one

index="xx" OR index=main host="xxx" "booking failed" source="/opt/ipath/log/main.log" NOT update NOT Details  
| rex field=bookname "(?<Reason>Booking failed with 1 source conflict and 1 destination conflict)"
| stats  count by Reason
0 Karma
Reply
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎06-28-2021 03:41 AM

@dabroma5 

Can you please try this for your both logs?

index="xx" OR index=main host="xxx" "booking failed" source="/opt/ipath/log/main.log" NOT update NOT Details  
 | eval Reason = case( like(bookname,"failed with 1 source conflict and 1 destination conflict%\""), "Booking failed with 1 source conflict and 1 destination conflict")
| stats  count by Reason

 

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

Reply
Solved! Jump to solution

dabroma5
Explorer
‎06-28-2021 04:29 AM

Thanks, this one suits me best.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...