Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Case and Match do not retrieve the right results

amunag439
Explorer
‎07-26-2019 01:28 PM

I have the following logs where the output can be from application or database or from third party source.

id=11111 req=getresult from app msg=from application status=200
id=2222 req=getresult from db msg=result from db status=200
id=3333 req=getresult from others msg=third party status=200

Using the above logs, I want to calculate the success rate from each source. Found eval is the best option to use.

host=Test sourcetype="test*" source="test.log" "req=getresult*" 
| rex "status=(?<http_status>\d{3})"  
| eval success= case(match(msg,"from application"), "Application", 
                      match(msg, "result from db"), "DB", 1=1, "Third party")  
| where http_status=200 | stats count by success

But the result is not right. I get the count of all the events as Third party. What I'm missing here?

0 Karma
Reply

woodcock
Esteemed Legend
‎07-28-2019 06:02 AM

The automatic field extraction that you get from KV_MODE = auto will extract values of from or result for msg which is insufficient/incorrect. You should do your own field extractions but in the meantime you can do this:

host=Test sourcetype="test*" source="test.log" "req=getresult*" 
| rex "status=(?<http_status>\d{3})" 
| where http_status=200
| eval success= case(
   match(_raw, "msg=from application"), "Application", 
   match(_raw, "msg=result from db"), "DB",
   true(), "Third party")  
| stats count BY success
0 Karma
Reply

jawaharas
Motivator
‎07-26-2019 10:02 PM

Are you parsing 'msg' field properly?

host=Test sourcetype="test*" source="test.log" "req=getresult*" 
| rex "status=(?<http_status>\d{3})" 
| table msg, http_status

Is above code return below result?
from application 200
result from db 200
third party 200

Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...