Splunk Search

Display only specific values in a column field in Splunk

sudeep5689
Explorer

Hi, I have a list of values getting displayed in one of the columns - Error Messages (for all languages) which i have collected in one row for each of the error code. So is there a way that i can show only the english messages in display with being able to count all the error messages for all languages.

Error Code Message Count
302 Eng, fra 2

200 spa,fra,italian, arabic, eng 5

So i want the o/p as

Error Code Message Count
302 Eng 2

200 eng 5

I tried to use mvindex but its failing since some of the error message come at top while some at last. Please note that i don't want the count to be changed

Tags (2)
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Use mvfilter(lower(Message) = "eng"), or some other filter to detect English.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Filter based on that then.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

I don't see language:eng in there.

0 Karma

sudeep5689
Explorer

its not in this. its coming as one of the tags in the response

like language:eng LocalizedMessage:

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

I can't tell you how to use your data if you don't post your data.

0 Karma

sudeep5689
Explorer

this is the o/p of one of the field:

Angef
El estado del contrato solicitado no se recuper
Le statut de contrat demand
O status do contrato solicitado n
Requested status was not retrieved

Here i want to show just the last one

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Filter by language:eng then?

0 Karma

sudeep5689
Explorer

Should i use mvfilter(language:eng)? but this will not work right? Can you pls help me with this and language:eng comes as a separate entity

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

I don't think there is a language detection function in Splunk.
Do your original events have a language field?

0 Karma

sudeep5689
Explorer

Hi, yes in response "language:eng" comes for english language. For spanish it would be "language"spa"

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

You can use any boolean eval expression inside mvfilter(), including regex match().

0 Karma

sudeep5689
Explorer

Hi Martin,

Thanks but it would be again a difficult taskk since other languages will contain letters as well.

One of the o/p is:
Angef
El estado del contrato solicitado no se recuper
Le statut de contrat demand
O status do contrato solicitado n
Requested status was not retrieved

From above o/p i want to extract the english one which is the last one

0 Karma

sudeep5689
Explorer

Hi Thanks for your response. But eng is not a fixed word. The error messages are coming in diff languages and m clubing them together as per the error code. Now in the error messages column i dont want to show all the messages from each and every language but just show the english language message. In the response language:eng is coming for english.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...