Solved: Help with Splunk rex and using it in searchmatch?

super_edition · ‎04-23-2023

Hello eveyrone,

Firstly Big Thanks to @ITWhisperer for helping me in recent weeks 😊

I have created a splunk query which will display the data as below.

Operations	average	response90
create_cart	250	380
cart_summary	240	330
cart_productType	210	321
getCart	260	365

index=my_index openshift_cluster="cluster009" sourcetype=openshift_logs openshift_namespace=my_ns openshift_container_name=container 
| search ("POST /shopping/carts/v1 HTTP" 
OR "GET /shopping/carts/v1/*/summary HTTP" 
OR "GET *shopping*carts*productType* HTTP") 
| eval Operations=case(
searchmatch("POST /shopping/carts/v1 HTTP"),"create_cart",
searchmatch("GET /shopping/carts/v1/*/summary HTTP"),"cart_summary",
searchmatch("GET *shopping*carts*productType* HTTP"),"cart_productType")
| stats avg(processDuration) as average perc90(processDuration) as response90 by Operations 
| eval average=round(average,2),response90=round(response90,2)

I want to include 1 more search pattern as below:

"message":{"input":"999.111.000.999 - - [06/Apr/2023:04:08:13 +0000] \"GET /shopping/carts/v1/83h3h331-g494-28h4-yyw7-dq123123123d HTTP/1.1\" 200 1855 8080 10 ms"}

Hence I changed the splunk query something like below to display the above formatted tabular information

index=my_index openshift_cluster="cluster009" sourcetype=openshift_logs openshift_namespace=my_ns openshift_container_name=container 
| rex "\"(?<url>GET /shopping/carts/v1/[^/ ?]+\sHTTP)"
| search ("POST /shopping/carts/v1 HTTP" 
OR "GET /shopping/carts/v1/*/summary HTTP" 
OR "GET *shopping*carts*productType* HTTP")
OR url
| eval Operations=case(
searchmatch("POST /shopping/carts/v1 HTTP"),"create_cart",
searchmatch("GET /shopping/carts/v1/*/summary HTTP"),"cart_summary",
searchmatch("GET *shopping*carts*productType* HTTP"),"cart_productType",
searchmatch(url),"getCart")
| stats avg(processDuration) as average perc90(processDuration) as response90 by Operations 
| eval average=round(average,2),response90=round(response90,2)

I am encountering the error stating : Error in 'EvalCommand': The arguments to the 'searchmatch' function are invalid.

yuanliu · ‎04-23-2023

First, I think ITWhiperer already mentioned that adding "search" commands after the index search is less efficient. So, your first search really should start with (before case function)

index=my_index openshift_cluster="cluster009" sourcetype=openshift_logs openshift_namespace=my_ns openshift_container_name=container
 ("POST /shopping/carts/v1 HTTP" 
OR "GET /shopping/carts/v1/*/summary HTTP" 
OR "GET *shopping*carts*productType* HTTP")

Secondly, unless you say something like "url = <something>" in the second search, the rex and the second search command would make absolutely no difference.

Now, to the error from searchmatch inside that case function. searchmatch expects a literal string as argument. The bare url is not a literal string, therefore the error.

I think what you want is something like

index=my_index openshift_cluster="cluster009" sourcetype=openshift_logs openshift_namespace=my_ns openshift_container_name=container
("POST /shopping/carts/v1 HTTP" 
OR "GET /shopping/carts/v1/* HTTP" ``` do not differentiate ```
OR "GET *shopping*carts*productType* HTTP")
| eval Operations=case(
searchmatch("POST /shopping/carts/v1 HTTP"),"create_cart",
searchmatch("GET /shopping/carts/v1/*/summary HTTP"),"cart_summary",
searchmatch("GET *shopping*carts*productType* HTTP"),"cart_productType",
match(_raw, "\\GET /shopping/carts/v1/[^/ ?]+\sHTTP"),"getCart")
| stats avg(processDuration) as average perc90(processDuration) as response90 by Operations 
| eval average=round(average,2),response90=round(response90,2)

Here, match function takes a literal string OR string field, and does a regex match. There is no need for a separate rex command.

View solution in original post

yuanliu · ‎04-23-2023

First, I think ITWhiperer already mentioned that adding "search" commands after the index search is less efficient. So, your first search really should start with (before case function)

index=my_index openshift_cluster="cluster009" sourcetype=openshift_logs openshift_namespace=my_ns openshift_container_name=container
 ("POST /shopping/carts/v1 HTTP" 
OR "GET /shopping/carts/v1/*/summary HTTP" 
OR "GET *shopping*carts*productType* HTTP")

Secondly, unless you say something like "url = <something>" in the second search, the rex and the second search command would make absolutely no difference.

Now, to the error from searchmatch inside that case function. searchmatch expects a literal string as argument. The bare url is not a literal string, therefore the error.

I think what you want is something like

index=my_index openshift_cluster="cluster009" sourcetype=openshift_logs openshift_namespace=my_ns openshift_container_name=container
("POST /shopping/carts/v1 HTTP" 
OR "GET /shopping/carts/v1/* HTTP" ``` do not differentiate ```
OR "GET *shopping*carts*productType* HTTP")
| eval Operations=case(
searchmatch("POST /shopping/carts/v1 HTTP"),"create_cart",
searchmatch("GET /shopping/carts/v1/*/summary HTTP"),"cart_summary",
searchmatch("GET *shopping*carts*productType* HTTP"),"cart_productType",
match(_raw, "\\GET /shopping/carts/v1/[^/ ?]+\sHTTP"),"getCart")
| stats avg(processDuration) as average perc90(processDuration) as response90 by Operations 
| eval average=round(average,2),response90=round(response90,2)

Here, match function takes a literal string OR string field, and does a regex match. There is no need for a separate rex command.

Help with Splunk rex and using it in searchmatch?

eval

rex

stats

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Are you a member of the Splunk Community?