Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Case and Match do not retrieve the right results

amunag439
Explorer
‎07-26-2019 01:28 PM

I have the following logs where the output can be from application or database or from third party source.

id=11111 req=getresult from app msg=from application status=200
id=2222 req=getresult from db msg=result from db status=200
id=3333 req=getresult from others msg=third party status=200

Using the above logs, I want to calculate the success rate from each source. Found eval is the best option to use.

host=Test sourcetype="test*" source="test.log" "req=getresult*" 
| rex "status=(?<http_status>\d{3})"  
| eval success= case(match(msg,"from application"), "Application", 
                      match(msg, "result from db"), "DB", 1=1, "Third party")  
| where http_status=200 | stats count by success

But the result is not right. I get the count of all the events as Third party. What I'm missing here?

0 Karma
Reply

woodcock
Esteemed Legend
‎07-28-2019 06:02 AM

The automatic field extraction that you get from KV_MODE = auto will extract values of from or result for msg which is insufficient/incorrect. You should do your own field extractions but in the meantime you can do this:

host=Test sourcetype="test*" source="test.log" "req=getresult*" 
| rex "status=(?<http_status>\d{3})" 
| where http_status=200
| eval success= case(
   match(_raw, "msg=from application"), "Application", 
   match(_raw, "msg=result from db"), "DB",
   true(), "Third party")  
| stats count BY success
0 Karma
Reply

jawaharas
Motivator
‎07-26-2019 10:02 PM

Are you parsing 'msg' field properly?

host=Test sourcetype="test*" source="test.log" "req=getresult*" 
| rex "status=(?<http_status>\d{3})" 
| table msg, http_status

Is above code return below result?
from application 200
result from db 200
third party 200

Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...