Splunk Search

How can I compare values within 1 field and group them

skyblue123
Engager

Hi,

I'm new to Splunk and I was trying to compare values in the same field and group them subsequently.

The events had client transaction id, pp_account_number, corrid different so had to remove them and compare and group. I used | stats group by and it didn't get me the results.  There were results that looked same but were not grouped together. Below is my query. I went on to remove spaces so that it will group better but didn't work as well . 

 

(index=pp_cal_live_logs_failure_services OR index=pp_cal_live_logs_success_sampling OR index=pp_cal_live_logs_allowlist)(machineColo="*") source IN ("riskexternalgateway")
| eval corrId=corr_id
| fields "corrId" , "calName" , "calMessage"
| where (match(calName,"Monitor_Vendor_Service_Call") AND match(calMessage,"usecase_name=US_CIPACHFunding&VReq[a-z]*"))
| eval calMessage= replace(calMessage, " ", "")
| eval calMessage = replace(calMessage, "<client_transaction_id>.*</client_transaction_id>" ," ")
| eval calMessage = replace(calMessage, "<pp_account_number>.*</pp_account_number>" ," ")
| eval calMessage = replace(calMessage, "corr_id_=.*" ,"")
| stats by calMessage 

Labels (3)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @skyblue123,

please try this:

(index=pp_cal_live_logs_failure_services OR index=pp_cal_live_logs_success_sampling OR index=pp_cal_live_logs_allowlist)(machineColo="*") source IN ("riskexternalgateway")
| rename corr_id AS corrId
| eval 
 status_calName=if(match(calName,"Monitor_Vendor_Service_Call"),"yes","not"), 
 status_calMessage=if(match(calMessage,"usecase_name=US_CIPACHFunding&VReq[a-z]*"),"yes","not")
| where status_calName="yes AND status_calMessage="yes"
| eval calMessage= replace(calMessage, " ", "")
| eval calMessage = replace(calMessage, "<client_transaction_id>.*</client_transaction_id>" ," ")
| eval calMessage = replace(calMessage, "<pp_account_number>.*</pp_account_number>" ," ")
| eval calMessage = replace(calMessage, "corr_id_=.*" ,"")
| stats by calMessage 

Ciao.

Giuseppe

View solution in original post

0 Karma

skyblue123
Engager

Hi, I have found the solution. can you help to delete my post? thank you

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @skyblue123,

please, don't delete your post, it could be useful for other people.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated :winking_face:

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @skyblue123,

please try this:

(index=pp_cal_live_logs_failure_services OR index=pp_cal_live_logs_success_sampling OR index=pp_cal_live_logs_allowlist)(machineColo="*") source IN ("riskexternalgateway")
| rename corr_id AS corrId
| eval 
 status_calName=if(match(calName,"Monitor_Vendor_Service_Call"),"yes","not"), 
 status_calMessage=if(match(calMessage,"usecase_name=US_CIPACHFunding&VReq[a-z]*"),"yes","not")
| where status_calName="yes AND status_calMessage="yes"
| eval calMessage= replace(calMessage, " ", "")
| eval calMessage = replace(calMessage, "<client_transaction_id>.*</client_transaction_id>" ," ")
| eval calMessage = replace(calMessage, "<pp_account_number>.*</pp_account_number>" ," ")
| eval calMessage = replace(calMessage, "corr_id_=.*" ,"")
| stats by calMessage 

Ciao.

Giuseppe

0 Karma

skyblue123
Engager

tried the above. but there were still duplicates that can be grouped together but were not.

this is how a calMessage field looks like: 

Screenshot 2022-02-24 at 3.17.49 PM.png

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...