Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Case and Match do not retrieve the right results

amunag439
Explorer
‎07-26-2019 01:28 PM

I have the following logs where the output can be from application or database or from third party source.

id=11111 req=getresult from app msg=from application status=200
id=2222 req=getresult from db msg=result from db status=200
id=3333 req=getresult from others msg=third party status=200

Using the above logs, I want to calculate the success rate from each source. Found eval is the best option to use.

host=Test sourcetype="test*" source="test.log" "req=getresult*" 
| rex "status=(?<http_status>\d{3})"  
| eval success= case(match(msg,"from application"), "Application", 
                      match(msg, "result from db"), "DB", 1=1, "Third party")  
| where http_status=200 | stats count by success

But the result is not right. I get the count of all the events as Third party. What I'm missing here?

0 Karma
Reply

woodcock
Esteemed Legend
‎07-28-2019 06:02 AM

The automatic field extraction that you get from KV_MODE = auto will extract values of from or result for msg which is insufficient/incorrect. You should do your own field extractions but in the meantime you can do this:

host=Test sourcetype="test*" source="test.log" "req=getresult*" 
| rex "status=(?<http_status>\d{3})" 
| where http_status=200
| eval success= case(
   match(_raw, "msg=from application"), "Application", 
   match(_raw, "msg=result from db"), "DB",
   true(), "Third party")  
| stats count BY success
0 Karma
Reply

jawaharas
Motivator
‎07-26-2019 10:02 PM

Are you parsing 'msg' field properly?

host=Test sourcetype="test*" source="test.log" "req=getresult*" 
| rex "status=(?<http_status>\d{3})" 
| table msg, http_status

Is above code return below result?
from application 200
result from db 200
third party 200

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...