Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help with Splunk rex and using it in searchmatch?

super_edition
Path Finder
‎04-23-2023 12:45 PM

Hello eveyrone,

Firstly Big Thanks to @ITWhisperer for helping me in recent weeks 😊

I have created a splunk query which will display the data as below. 

Operations average response90
create_cart 250 380
cart_summary 240 330
cart_productType 210 321
getCart 260 365

 

 

 

index=my_index openshift_cluster="cluster009" sourcetype=openshift_logs openshift_namespace=my_ns openshift_container_name=container 
| search ("POST /shopping/carts/v1 HTTP" 
OR "GET /shopping/carts/v1/*/summary HTTP" 
OR "GET *shopping*carts*productType* HTTP") 
| eval Operations=case(
searchmatch("POST /shopping/carts/v1 HTTP"),"create_cart",
searchmatch("GET /shopping/carts/v1/*/summary HTTP"),"cart_summary",
searchmatch("GET *shopping*carts*productType* HTTP"),"cart_productType")
| stats avg(processDuration) as average perc90(processDuration) as response90 by Operations 
| eval average=round(average,2),response90=round(response90,2)

 

 

I want to include 1 more search pattern as below:

 

 

"message":{"input":"999.111.000.999 - - [06/Apr/2023:04:08:13 +0000] \"GET /shopping/carts/v1/83h3h331-g494-28h4-yyw7-dq123123123d HTTP/1.1\" 200 1855 8080 10 ms"}

 

 

Hence I changed the splunk query something like below to display the above formatted tabular information

 

 

index=my_index openshift_cluster="cluster009" sourcetype=openshift_logs openshift_namespace=my_ns openshift_container_name=container 
| rex "\"(?<url>GET /shopping/carts/v1/[^/ ?]+\sHTTP)"
| search ("POST /shopping/carts/v1 HTTP" 
OR "GET /shopping/carts/v1/*/summary HTTP" 
OR "GET *shopping*carts*productType* HTTP")
OR url
| eval Operations=case(
searchmatch("POST /shopping/carts/v1 HTTP"),"create_cart",
searchmatch("GET /shopping/carts/v1/*/summary HTTP"),"cart_summary",
searchmatch("GET *shopping*carts*productType* HTTP"),"cart_productType",
searchmatch(url),"getCart")
| stats avg(processDuration) as average perc90(processDuration) as response90 by Operations 
| eval average=round(average,2),response90=round(response90,2)

 

 

I am encountering the error stating : Error in 'EvalCommand': The arguments to the 'searchmatch' function are invalid.

 

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎04-23-2023 01:32 PM

First, I think ITWhiperer already mentioned that adding "search" commands after the index search is less efficient.  So, your first search really should start with (before case function)

index=my_index openshift_cluster="cluster009" sourcetype=openshift_logs openshift_namespace=my_ns openshift_container_name=container
 ("POST /shopping/carts/v1 HTTP" 
OR "GET /shopping/carts/v1/*/summary HTTP" 
OR "GET *shopping*carts*productType* HTTP")

Secondly, unless you say something like "url = <something>" in the second search, the rex and the second search command would make absolutely no difference.

Now, to the error from searchmatch inside that case function.  searchmatch expects a literal string as argument.  The bare url is not a literal string, therefore the error.

I think what you want is something like

index=my_index openshift_cluster="cluster009" sourcetype=openshift_logs openshift_namespace=my_ns openshift_container_name=container
("POST /shopping/carts/v1 HTTP" 
OR "GET /shopping/carts/v1/* HTTP" ``` do not differentiate ```
OR "GET *shopping*carts*productType* HTTP")
| eval Operations=case(
searchmatch("POST /shopping/carts/v1 HTTP"),"create_cart",
searchmatch("GET /shopping/carts/v1/*/summary HTTP"),"cart_summary",
searchmatch("GET *shopping*carts*productType* HTTP"),"cart_productType",
match(_raw, "\\GET /shopping/carts/v1/[^/ ?]+\sHTTP"),"getCart")
| stats avg(processDuration) as average perc90(processDuration) as response90 by Operations 
| eval average=round(average,2),response90=round(response90,2)

Here, match function takes a literal string OR string field, and does a regex match.  There is no need for a separate rex command.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎04-23-2023 01:32 PM

First, I think ITWhiperer already mentioned that adding "search" commands after the index search is less efficient.  So, your first search really should start with (before case function)

index=my_index openshift_cluster="cluster009" sourcetype=openshift_logs openshift_namespace=my_ns openshift_container_name=container
 ("POST /shopping/carts/v1 HTTP" 
OR "GET /shopping/carts/v1/*/summary HTTP" 
OR "GET *shopping*carts*productType* HTTP")

Secondly, unless you say something like "url = <something>" in the second search, the rex and the second search command would make absolutely no difference.

Now, to the error from searchmatch inside that case function.  searchmatch expects a literal string as argument.  The bare url is not a literal string, therefore the error.

I think what you want is something like

index=my_index openshift_cluster="cluster009" sourcetype=openshift_logs openshift_namespace=my_ns openshift_container_name=container
("POST /shopping/carts/v1 HTTP" 
OR "GET /shopping/carts/v1/* HTTP" ``` do not differentiate ```
OR "GET *shopping*carts*productType* HTTP")
| eval Operations=case(
searchmatch("POST /shopping/carts/v1 HTTP"),"create_cart",
searchmatch("GET /shopping/carts/v1/*/summary HTTP"),"cart_summary",
searchmatch("GET *shopping*carts*productType* HTTP"),"cart_productType",
match(_raw, "\\GET /shopping/carts/v1/[^/ ?]+\sHTTP"),"getCart")
| stats avg(processDuration) as average perc90(processDuration) as response90 by Operations 
| eval average=round(average,2),response90=round(response90,2)

Here, match function takes a literal string OR string field, and does a regex match.  There is no need for a separate rex command.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...