Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Conditional search evaluation

Tanmaya
New Member
‎10-06-2021 03:28 AM

Hi , 

I am trying to get the day wise error count by data message only if the yesterdays error count is more than 50 .

index="eshop" NOT(index=k8*dev OR index=k8*test) tag=error
| eval time=strftime(_time,"%Y-%m-%d")
|table time,data.message

<condition if the previous day data message count is less than 50 then it should be ignored from the stats>
| stats count by time,data.message

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-06-2021 03:52 AM

Don't split by time manually. That's what timechart is for. It works similarily but a bit different.

If you bin manually by date, you have no good way to find days in which there was no events (you have to do tricks with generating artificial entries with count of zero) and therefore you can check agains "previous" value but it doesn't necessarily be the value from the day before. (Unless that's exactly what you want to do, but that's another story)

So instead of manipulating with date just do

| timechart span=1d count by data.message

Now you can't filter by value from another row. You have to get the value from another row into your row. There's a command for it - autoregress. But in order for it to work properly, you have to sort the data in the right order.

| sort data.message _time

Now you can get your previous values for comparison

| autoregress data.message count

And filter out the ones we don't want

| where NOT (data.message=data.message_p1 AND count_p1>50)

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-06-2021 03:34 AM

Hi @Tanmaya,

did you tried something like this?

index="eshop" NOT(index=k8*dev OR index=k8*test) tag=error earliest=-1@d latest=@d
| stats count BY data.message
| where count>50

Only one question: do you want to alert if any message count is more than 50 or sone spoecified messages?

Ciao.

Giuseppe

0 Karma
Reply

Tanmaya
New Member
‎10-06-2021 03:42 AM

Thanks for the response ... 

I am trying to create a dashboard with the error count line graph where i want to include only those data messages whose previous day count is more than 50 

example :Trells line graph 

if the yesterdays error for 404 is less than 50 i don't want to include 404 error message for plotting the graph

if the yesterdays error for 417 is greater than 50 then  want to include 404 error message for plotting the graph  

errorA : 40

errorB:55

errorC:55

Get the stats count only for errorB and errorC

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-07-2021 12:00 AM

Hi, @Tanmaya,

in this case the above search should be ok for your needs, did you tried it?

Let me know and, if correct, please accept it for the other people of Community.

Ciao.

Giuseppe

P.S.: Karma Points are appreciated by all the contributors. 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

  Ready to master Kubernetes and cloud monitoring like the pros?Join Splunk’s Growth Engineering team for an ...

Wrapping Up Cybersecurity Awareness Month

October might be wrapping up, but for Splunk Education, cybersecurity awareness never goes out of season. ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

&#x1f5e3; You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...