Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can find the string in event but count, timechart, where does not work

maximusdm
Communicator
‎04-14-2017 12:29 PM

hi there, new to Splunk here..question:

Event log:
4/14/2017 16:00:00 +0000, blah blah...., statusCode="'20'", status_text="Material not found or deleted.", Description="1 occurrences of status code '20': Material not found or deleted.

This works:

index=blahlah status_text="*Material not found or deleted.*"
index=blahlah Description="*Material not found or deleted.*"

This WILL NOT work:

index=blah blah
| timechart span=1h count(eval(Description="*Material not found or deleted.*")) AS Occurences
| where Occurences > 0

index=blah blah
| timechart span=1h count(eval(status_text="*Material not found or deleted.*")) AS Occurences
| where Occurences > 0

index=blah blah
| where status_text="*Material not found or deleted*"

Thank you

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-14-2017 12:50 PM

Wildcards are not universal among SPL commands. Try using match or like in your eval commands.

... count (eval (like (Description, "%Material not found or deleted.%"))) ...

... count (eval (match (Description, "Material not found or deleted"))) ...
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

acharlieh
Influencer
‎04-14-2017 12:57 PM

The problem that you're running into is that search and where / eval are fundamentally different commands.

A search for foo="bar*" looks for events where the foo field starts with bar (case insensitively). Whereas a where filter for foo="bar*" looks for events where the foo field is exactly the string bar*.

For some examples:

| makeresults count=10 | streamstats count | eval foo=case(count%2==0,"Barz",1==1,"bar*") 
| search foo="bar*"

Returns all 10 events

| makeresults count=10 | streamstats count | eval foo=case(count%2==0,"Barz",1==1,"bar*") 
| where foo="bar*"

Returns the 5 odd numbered events only

| makeresults count=10 | streamstats count | eval foo=case(count%2==0,"Barz",1==1,"bar*") 
| stats count(eval(searchmatch("foo=\"Bar*\""))) as searchmatch count(eval(foo="Bar*")) as nomatch

Returns searchmatch=10, nomatch=0

If you want wildcarding with eval/where you may want to look into some functions for eval namely, the like, match, and searchmatch functions.

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-14-2017 12:50 PM

Wildcards are not universal among SPL commands. Try using match or like in your eval commands.

... count (eval (like (Description, "%Material not found or deleted.%"))) ...

... count (eval (match (Description, "Material not found or deleted"))) ...
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

maximusdm
Communicator
‎04-14-2017 01:50 PM

thank you. that worked nicely.

0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...
Top