Splunk Search

Case and Match do not retrieve the right results


I have the following logs where the output can be from application or database or from third party source.

id=11111 req=getresult from app msg=from application status=200
id=2222 req=getresult from db msg=result from db status=200
id=3333 req=getresult from others msg=third party status=200

Using the above logs, I want to calculate the success rate from each source. Found eval is the best option to use.

host=Test sourcetype="test*" source="test.log" "req=getresult*" 
| rex "status=(?<http_status>\d{3})"  
| eval success= case(match(msg,"from application"), "Application", 
                      match(msg, "result from db"), "DB", 1=1, "Third party")  
| where http_status=200 | stats count by success

But the result is not right. I get the count of all the events as Third party. What I'm missing here?

0 Karma

Esteemed Legend

The automatic field extraction that you get from KV_MODE = auto will extract values of from or result for msg which is insufficient/incorrect. You should do your own field extractions but in the meantime you can do this:

host=Test sourcetype="test*" source="test.log" "req=getresult*" 
| rex "status=(?<http_status>\d{3})" 
| where http_status=200
| eval success= case(
   match(_raw, "msg=from application"), "Application", 
   match(_raw, "msg=result from db"), "DB",
   true(), "Third party")  
| stats count BY success
0 Karma


Are you parsing 'msg' field properly?

host=Test sourcetype="test*" source="test.log" "req=getresult*" 
| rex "status=(?<http_status>\d{3})" 
| table msg, http_status

Is above code return below result?
from application 200
result from db 200
third party 200