Splunk Search

How do I write this search with a mvindex with a conditional?

user33
Path Finder

Hello,

I have the below SPL with the two mvindex functions.

mvindex position '6' in the array is supposed to apply http statuses for /developers. 

mvindex position '10' in the array is supposed to apply http statuses for /apps

Currently position 6 and 10 are crossing events. Applying to both APIs. Is there anyway I can have one mvindex apply to one command? 

 

(index=wf_pvsi_virt OR index=wf_pvsi_tmps) (sourcetype="wf:wca:access:txt" OR sourcetype="wf:devp1:access:txt") wf_env=PROD
| eval temp=split(_raw," ")
| eval API=mvindex(temp,4,8)
| eval http_status=mvindex(temp,6,10)
| search (
"/services/protected/v1/developers" OR
"/wcaapi/userReg/wgt/apps"
)
| search NOT "Mozilla"
| eval API = if(match(API,"/services/protected/v1/developers"), "DEVP1: Developers", API)
| eval API = if(match(API,"/wcaapi/userReg/wgt/apps"), "User Registration Enhanced Login", API)

 

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| eval status_index = if(match(API,"/services/protected/v1/developers"), 6, 10)
| eval http_status=mvindex(temp, status_index)

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| eval status_index = if(match(API,"/services/protected/v1/developers"), 6, 10)
| eval http_status=mvindex(temp, status_index)
0 Karma

user33
Path Finder

What I am attempting to do below:

| eval temp=split(_raw," ")
| eval API=mvindex(temp,4,8)
```| eval http_status=mvindex(temp,6,10)```

| eval status_index = if(match(API,"/services/protected/v1/developers"), 4, 6)
| eval status_index1 = if(match(API,"/services/public/v1/signup"), 4, 6)
| eval status_index2 = if(match(API,"/wcaapi/userReg/wgt/apps"), 8, 10)
| eval http_status=mvindex(temp, status_index)


| search (
"/services/public/v1/signup" OR
"/services/protected/v1/developers" OR 
"/services/public/v1/captcha" OR 
"/wcaapi/userReg/wgt/apps"
)
| eval API = if(match(API,"/services/public/v1/signup"), "DEVP1: Signup", API)
| eval API = if(match(API,"/services/protected/v1/developers"), "DEVP1: Developers", API)
| eval API = if(match(API,"/services/public/v1/captcha"), "DEVP1: Captcha", API)
| eval API = if(match(API,"/wcaapi/userReg/wgt/apps"), "User Registration Enhanced Login", API)
0 Karma

user33
Path Finder

Thank you!!

However, if I wanted to make more than one "status_index" for each API and then combine all status_indexes into one field called "http_status"; how would I do that?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

I am not sure I understand what you are trying to do. Please can you share some sample events and highlight which part you want extracted to which field - rex might be an easier option for you.

0 Karma

user33
Path Finder

Not a problem. It looks like I may have achieved it by modifying your solution. I had issues in the past with Regex so was hoping to use this. I am not sure what "null" does in the below "status_index" but it seems to work by not including frivolous information.

user33_0-1675875201520.png

 

| eval temp=split(_raw," ")
| eval status_index1 = if(match(API,"/services/protected/v1/developers"), 6, null)
| eval status_index2 = if(match(API,"/services/public/v1/signup"), 6, null)
| eval status_index3 = if(match(API,"/wcaapi/userReg/wgt/apps"), 10, null)
| eval http_status1 = mvindex(temp, status_index1)
| eval http_status2 = mvindex(temp, status_index2)
| eval http_status3 = mvindex(temp, status_index3)
| eval http_status = coalesce(http_status1, http_status2, http_status3)

| search (
"/services/public/v1/signup" OR
"/services/protected/v1/developers" OR 
"/services/public/v1/captcha" OR 
"/wcaapi/userReg/wgt/apps"
)
| search NOT "Mozilla"
| eval API = if(match(API,"/services/public/v1/signup"), "DEVP1: Signup", API)
| eval API = if(match(API,"/services/protected/v1/developers"), "DEVP1: Developers", API)
| eval API = if(match(API,"/services/public/v1/captcha"), "DEVP1: Captcha", API)
| eval API = if(match(API,"/wcaapi/userReg/wgt/apps"), "User Registration Enhanced Login", API)
| fields API, http_status, wf_env
| convert timeformat="%Y-%m" ctime(_time) AS Date
| stats count(http_status) as Total_Calls, count(eval(http_status>=500)) as Server_Error by Date, API, wf_env
| eval SuccessRate=round((1-(Server_Error/Total_Calls)) * 100,2)

 

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...