Splunk Search

How do I write this search with a mvindex with a conditional?

user33
Path Finder

Hello,

I have the below SPL with the two mvindex functions.

mvindex position '6' in the array is supposed to apply http statuses for /developers. 

mvindex position '10' in the array is supposed to apply http statuses for /apps

Currently position 6 and 10 are crossing events. Applying to both APIs. Is there anyway I can have one mvindex apply to one command? 

 

(index=wf_pvsi_virt OR index=wf_pvsi_tmps) (sourcetype="wf:wca:access:txt" OR sourcetype="wf:devp1:access:txt") wf_env=PROD
| eval temp=split(_raw," ")
| eval API=mvindex(temp,4,8)
| eval http_status=mvindex(temp,6,10)
| search (
"/services/protected/v1/developers" OR
"/wcaapi/userReg/wgt/apps"
)
| search NOT "Mozilla"
| eval API = if(match(API,"/services/protected/v1/developers"), "DEVP1: Developers", API)
| eval API = if(match(API,"/wcaapi/userReg/wgt/apps"), "User Registration Enhanced Login", API)

 

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| eval status_index = if(match(API,"/services/protected/v1/developers"), 6, 10)
| eval http_status=mvindex(temp, status_index)

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| eval status_index = if(match(API,"/services/protected/v1/developers"), 6, 10)
| eval http_status=mvindex(temp, status_index)
0 Karma

user33
Path Finder

What I am attempting to do below:

| eval temp=split(_raw," ")
| eval API=mvindex(temp,4,8)
```| eval http_status=mvindex(temp,6,10)```

| eval status_index = if(match(API,"/services/protected/v1/developers"), 4, 6)
| eval status_index1 = if(match(API,"/services/public/v1/signup"), 4, 6)
| eval status_index2 = if(match(API,"/wcaapi/userReg/wgt/apps"), 8, 10)
| eval http_status=mvindex(temp, status_index)


| search (
"/services/public/v1/signup" OR
"/services/protected/v1/developers" OR 
"/services/public/v1/captcha" OR 
"/wcaapi/userReg/wgt/apps"
)
| eval API = if(match(API,"/services/public/v1/signup"), "DEVP1: Signup", API)
| eval API = if(match(API,"/services/protected/v1/developers"), "DEVP1: Developers", API)
| eval API = if(match(API,"/services/public/v1/captcha"), "DEVP1: Captcha", API)
| eval API = if(match(API,"/wcaapi/userReg/wgt/apps"), "User Registration Enhanced Login", API)
0 Karma

user33
Path Finder

Thank you!!

However, if I wanted to make more than one "status_index" for each API and then combine all status_indexes into one field called "http_status"; how would I do that?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

I am not sure I understand what you are trying to do. Please can you share some sample events and highlight which part you want extracted to which field - rex might be an easier option for you.

0 Karma

user33
Path Finder

Not a problem. It looks like I may have achieved it by modifying your solution. I had issues in the past with Regex so was hoping to use this. I am not sure what "null" does in the below "status_index" but it seems to work by not including frivolous information.

user33_0-1675875201520.png

 

| eval temp=split(_raw," ")
| eval status_index1 = if(match(API,"/services/protected/v1/developers"), 6, null)
| eval status_index2 = if(match(API,"/services/public/v1/signup"), 6, null)
| eval status_index3 = if(match(API,"/wcaapi/userReg/wgt/apps"), 10, null)
| eval http_status1 = mvindex(temp, status_index1)
| eval http_status2 = mvindex(temp, status_index2)
| eval http_status3 = mvindex(temp, status_index3)
| eval http_status = coalesce(http_status1, http_status2, http_status3)

| search (
"/services/public/v1/signup" OR
"/services/protected/v1/developers" OR 
"/services/public/v1/captcha" OR 
"/wcaapi/userReg/wgt/apps"
)
| search NOT "Mozilla"
| eval API = if(match(API,"/services/public/v1/signup"), "DEVP1: Signup", API)
| eval API = if(match(API,"/services/protected/v1/developers"), "DEVP1: Developers", API)
| eval API = if(match(API,"/services/public/v1/captcha"), "DEVP1: Captcha", API)
| eval API = if(match(API,"/wcaapi/userReg/wgt/apps"), "User Registration Enhanced Login", API)
| fields API, http_status, wf_env
| convert timeformat="%Y-%m" ctime(_time) AS Date
| stats count(http_status) as Total_Calls, count(eval(http_status>=500)) as Server_Error by Date, API, wf_env
| eval SuccessRate=round((1-(Server_Error/Total_Calls)) * 100,2)

 

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...