Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Display results only above a certain number

Snazter57
New Member
‎12-20-2013 08:33 AM

Hi all,

I am having trouble displaying search results when I specify that the returned results must be greater than six in the specified time period.

I have looked at:

http://answers.splunk.com/answers/70433/display-results-only-above-certain-number

The query I have works until I use the stats command to perform counting. Its been a long day so it will most likely be something simple but I just can't see it yet, so here goes:

"Error during SSL Handshake" OR "Connection timed out" OR "Connection refused"
| rex "Connection (?<CONN_ERR>.+): proxy: HTTPS: attempt to connect to (?<IP_PORT>.+) \((?<URL_ID>.+)\).+" 
| rex "] proxy: (?<SSL_ERR>.+) with remote server returned by (?<APP_ID>.+)" 
| eval GEN_ERR=mvappend (CONN_ERR,"",SSL_ERR)
| eval URL_OR_APP=mvappend (URL_ID,"",APP_ID)
| fillnull value=N/A
| table host, GEN_ERR, IP_PORT, URL_OR_APP

This query returns a fully populated table with nine "timed out" errors and eleven "SSL" errors in my test time frame.

If I try to

stats count by host, GEN_ERR, IP_PORT, URL_OR_APP
| search count > 6
| table host, GEN_ERR, IP_PORT, URL_OR_APP

The table then becomes a little bit of a mess with what appears to be (from the count displayed) duplicates with blank fields and then also the fully populated returns on separate lines.

Where did I go wrong?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎12-20-2013 08:53 AM

I think you misunderstood the meaning of mvappend, which creates a multi-valued field. What I think you wanted was a single field that contains both values. See below:

"Error during SSL Handshake" OR "Connection timed out" OR "Connection refused"
| rex "Connection (?<CONN_ERR>.+): proxy: HTTPS: attempt to connect to (?<IP_PORT>.+) \((?<URL_ID>.+)\).+" 
| rex "] proxy: (?<SSL_ERR>.+) with remote server returned by (?<APP_ID>.+)" 
| fillnull value="N/A"
| eval GEN_ERR=CONN_ERR . " " . SSL_ERR
| eval URL_OR_APP=URL_ID . " " . APP_ID
| stats count by host, GEN_ERR, IP_PORT, URL_OR_APP
| search count > 6

(updated based on comments)

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎12-20-2013 08:53 AM

I think you misunderstood the meaning of mvappend, which creates a multi-valued field. What I think you wanted was a single field that contains both values. See below:

"Error during SSL Handshake" OR "Connection timed out" OR "Connection refused"
| rex "Connection (?<CONN_ERR>.+): proxy: HTTPS: attempt to connect to (?<IP_PORT>.+) \((?<URL_ID>.+)\).+" 
| rex "] proxy: (?<SSL_ERR>.+) with remote server returned by (?<APP_ID>.+)" 
| fillnull value="N/A"
| eval GEN_ERR=CONN_ERR . " " . SSL_ERR
| eval URL_OR_APP=URL_ID . " " . APP_ID
| stats count by host, GEN_ERR, IP_PORT, URL_OR_APP
| search count > 6

(updated based on comments)

0 Karma
Reply
Solved! Jump to solution

Snazter57
New Member
‎12-23-2013 02:42 AM

Thanks lguinn (and somesoni2) that has indeed helped. I had to remove the filenull value="N/A" and change to "" then use replace to populate blank IP_PORT values in a table i added to the end of the query.

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎12-20-2013 02:00 PM

I updated my answer based on somesoni2's comment - and I also changed the eval commands to use explicit concatenation, which may also help

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎12-20-2013 10:50 AM

Try moving fillnull before your eval commands...

0 Karma
Reply
Solved! Jump to solution

Snazter57
New Member
‎12-20-2013 09:05 AM

Hi lguinn, I had previously tried using that method but when the table populates I get the correct count in two records as expected but the GEN_ERR and URL_OR_APP are marked as N/A by the fillnull command. Omitting fillnull it returns 20 events but no table.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security(ES) 7.3 is approaching the end of support. Get ready for ...

Hi friends!    At Splunk, your product success is our top priority. With Enterprise Security (ES), we're here ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk, and empower your SOC to reach new heights! Duration: 1 hour  Prepare to ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...