Splunk Search

How do I use an if-statement to reduce rows of a field in a Splunk result set?

samsam48
Explorer

I have the following Splunk base search:

sourcetype=serverA FATAL OR ERROR OR WARN | rex field=_raw max_match=1 "(?<error_type>WARN|ERROR|FATAL)"  | rex field=_raw "] (?<error_location>.*?) " | rex field=_raw "\) (?<description>.*)"

I then pipe this result to | eventstats count by error_type to get individual counts of each error type. Finally, I also want to return a set of description for each of the three error_types, whose number of results is reliant on the count for each error_type. For example, if the count of WARN is greater than 5, then it would only grab the first 5 descriptions. If the count is less, it would show them all.

I'm trying a syntax like this with no luck so far:

sourcetype=GRServerPROD_B FATAL OR ERROR OR WARN | rex field=_raw max_match=1 "(?<error_type>WARN|ERROR|FATAL)"  | rex field=_raw "] (?<error_location>.*?) " | rex field=_raw "\) (?<description>.*)"| eventstats count by error_type | eval description_set=if(count>5, <return top 5 descriptions>, <return all descriptions>) | stats values(description_set) as descriptions, values(count) as count by error_type

I also tried running sub-searches using map but this seemed pretty lengthy.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi samsam48,
I cannot test your search but I had a problem like your, so you have to try something like this:

 sourcetype=GRServerPROD_B FATAL OR ERROR OR WARN 
| rex field=_raw max_match=1 "(?<error_type>WARN|ERROR|FATAL)"  
| rex field=_raw "] (?<error_location>.*?) " 
| rex field=_raw "\) (?<description>.*)"
| stats values(description) AS description dc(description) AS different_descriptions count by error_type
| eval description=if(different_descriptions>5,"There are "+different_descriptions+" description",description)

If you want to have all the description on the same row, add at the end of your search | nomv description

In addition I suggest to use index parameter to have more performant searches.

Bye.
Giuseppe

samsam48
Explorer

Hi cusello,

This query doesn't narrow down the results of description though, if I'm not mistaken? If count for one value of error_type was over 5, then I'd only want 5 descriptions from that given value of error_type. For example, if error_type= WARN, and there were 1000 warnings, then I'd want the final chart to hold only 5 descriptions (it's too much to show all 1000 in an email). However, if error_type =FATAL and there were 2 fatals, then I'd want the final chart to hold those two fatal event's descriptions.

Please let me know if I can clarify further. Thanks.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi samsam48,
In this way you don't know if you have 5 descriptions or more, because in both the situation you have 5 description!
Anyway, try something like this:

 sourcetype=GRServerPROD_B FATAL OR ERROR OR WARN 
| rex field=_raw max_match=1 "(?<error_type>WARN|ERROR|FATAL)"  
| rex field=_raw "] (?<error_location>.*?) " 
| rex field=_raw "\) (?<description>.*)"
| stats values(description) AS description count by error_type
| eval description=mvindex(description, 0, 4)

Bye.
Giuseppe

samsam48
Explorer

Hi Giuseppe,

Last thing- how would I go about including the counts and set of 5 descriptions in the alert body? It doesn't look like the counts are "named" so I haven't been able to use the $results.fieldName$ syntax in the email body. Is there also an approach to include all 5 descriptions for each error_type in the body as well?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi samsam48,
I usually don't insert data in the eMail body to have a more general eMail and to avoid problems with fields.
I usually attach a file (csv or pdf) with the results or I enable the link to results (if the receiver is enabled to use Splunk).

Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...