Splunk Search

Categorise overlapping events

namritha
Path Finder

Hi,

I have a certain field extracted from my events called "Error_description". They are as follows.

Error_Description:
value 1 = ApplicationA caused error while hitting the database
value 2 = ApplicationA error
value 3 = Database error

I need to categorise them as:

Error_Type:
value 1 = If Error_Description has both the terms ApplicationA and database OR only the term ApplicationA, Error_Type = "Application/DB error or both"
value 2 = If Error_Description has only the term Database error (and NOT the term ApplicationA) , Error_Type = "purely DB error"

I am assuming we will need to use case and like functions, but this does not seem to be working - case(like(Error_Description, "%ApplicationA%" NOT like(Error_description,"%Database%"), "Purely DB error")

Can anyone please help me out?

Thanks in advance.

0 Karma

sundareshr
Legend

Try it like this

... | eval Error_Type=case(match(Error_description, "ApplicationA") AND match(Error_description, "Database", "Application/DB error or both", match(Error_description, "Database") AND NOT match(Error_description, "ApplicationA", ""purely DB error", 1=1, "UNK")
0 Karma

sundareshr
Legend

@namritha, the match() will look for the string anywhere in the field. As long as the text (ApplicationA, database etc) exists in the value of the field Error_description match will find it. Having said that, match uses a regex to find the match. So, match(Error_description, "database") is NOT the same as match(Error_description, "Database"). Same with application. Regex is case sensitive. Also, adding * would mean 0-n occurrences, which is not needed. As long as the regex is correct match will find it anywhere in the string. If you need help with the regex, share some actual samples of Error_description values.

0 Karma

namritha
Path Finder

Thankyou sundareshr.

My requirement is slightly different, maybe I wasn't very clear. The events are like these,

Error_Description:
value 1 = Contains the term ApplicationA caused error while hitting the database
value 2 = Contains the term ApplicationA error
value 3 = Contains the term Database error

i.e. we may have other values like className, methodName or even random strings before and after 'ApplicationA caused an error while hitting the database'. The eval needs to check if the Error_description CONTAINS the terms.

Will adding * before and after ApplicationA help then? I have modified the query below.

| eval Error_Type=case(match(Error_description, "*ApplicationA*") AND match(Error_description, "*Database*", "Application/DB error or both", match(Error_description, "*Database*") AND NOT match(Error_description, "*ApplicationA*", ""purely DB error", 1=1, "UNK")

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...