- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Display results only above a certain number
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all,
I am having trouble displaying search results when I specify that the returned results must be greater than six in the specified time period.
I have looked at:
http://answers.splunk.com/answers/70433/display-results-only-above-certain-number
The query I have works until I use the stats command to perform counting. Its been a long day so it will most likely be something simple but I just can't see it yet, so here goes:
"Error during SSL Handshake" OR "Connection timed out" OR "Connection refused"
| rex "Connection (?<CONN_ERR>.+): proxy: HTTPS: attempt to connect to (?<IP_PORT>.+) \((?<URL_ID>.+)\).+"
| rex "] proxy: (?<SSL_ERR>.+) with remote server returned by (?<APP_ID>.+)"
| eval GEN_ERR=mvappend (CONN_ERR,"",SSL_ERR)
| eval URL_OR_APP=mvappend (URL_ID,"",APP_ID)
| fillnull value=N/A
| table host, GEN_ERR, IP_PORT, URL_OR_APP
This query returns a fully populated table with nine "timed out" errors and eleven "SSL" errors in my test time frame.
If I try to
stats count by host, GEN_ERR, IP_PORT, URL_OR_APP
| search count > 6
| table host, GEN_ERR, IP_PORT, URL_OR_APP
The table then becomes a little bit of a mess with what appears to be (from the count displayed) duplicates with blank fields and then also the fully populated returns on separate lines.
Where did I go wrong?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you misunderstood the meaning of mvappend, which creates a multi-valued field. What I think you wanted was a single field that contains both values. See below:
"Error during SSL Handshake" OR "Connection timed out" OR "Connection refused"
| rex "Connection (?<CONN_ERR>.+): proxy: HTTPS: attempt to connect to (?<IP_PORT>.+) \((?<URL_ID>.+)\).+"
| rex "] proxy: (?<SSL_ERR>.+) with remote server returned by (?<APP_ID>.+)"
| fillnull value="N/A"
| eval GEN_ERR=CONN_ERR . " " . SSL_ERR
| eval URL_OR_APP=URL_ID . " " . APP_ID
| stats count by host, GEN_ERR, IP_PORT, URL_OR_APP
| search count > 6
(updated based on comments)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you misunderstood the meaning of mvappend, which creates a multi-valued field. What I think you wanted was a single field that contains both values. See below:
"Error during SSL Handshake" OR "Connection timed out" OR "Connection refused"
| rex "Connection (?<CONN_ERR>.+): proxy: HTTPS: attempt to connect to (?<IP_PORT>.+) \((?<URL_ID>.+)\).+"
| rex "] proxy: (?<SSL_ERR>.+) with remote server returned by (?<APP_ID>.+)"
| fillnull value="N/A"
| eval GEN_ERR=CONN_ERR . " " . SSL_ERR
| eval URL_OR_APP=URL_ID . " " . APP_ID
| stats count by host, GEN_ERR, IP_PORT, URL_OR_APP
| search count > 6
(updated based on comments)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks lguinn (and somesoni2) that has indeed helped. I had to remove the filenull value="N/A" and change to "" then use replace to populate blank IP_PORT values in a table i added to the end of the query.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I updated my answer based on somesoni2's comment - and I also changed the eval commands to use explicit concatenation, which may also help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try moving fillnull before your eval commands...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi lguinn, I had previously tried using that method but when the table populates I get the correct count in two records as expected but the GEN_ERR and URL_OR_APP are marked as N/A by the fillnull command. Omitting fillnull it returns 20 events but no table.
Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey
Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...
Monitoring Amazon Elastic Kubernetes Service (EKS)
