Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I write this search with a mvindex with a conditional?

user33
Path Finder
‎02-07-2023 01:18 PM

Hello,

I have the below SPL with the two mvindex functions.

mvindex position '6' in the array is supposed to apply http statuses for /developers. 

mvindex position '10' in the array is supposed to apply http statuses for /apps

Currently position 6 and 10 are crossing events. Applying to both APIs. Is there anyway I can have one mvindex apply to one command? 

 

(index=wf_pvsi_virt OR index=wf_pvsi_tmps) (sourcetype="wf:wca:access:txt" OR sourcetype="wf:devp1:access:txt") wf_env=PROD
| eval temp=split(_raw," ")
| eval API=mvindex(temp,4,8)
| eval http_status=mvindex(temp,6,10)
| search (
"/services/protected/v1/developers" OR
"/wcaapi/userReg/wgt/apps"
)
| search NOT "Mozilla"
| eval API = if(match(API,"/services/protected/v1/developers"), "DEVP1: Developers", API)
| eval API = if(match(API,"/wcaapi/userReg/wgt/apps"), "User Registration Enhanced Login", API)

 

Labels (1)
Labels
Preview file
21 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-07-2023 02:44 PM 
| eval status_index = if(match(API,"/services/protected/v1/developers"), 6, 10)
| eval http_status=mvindex(temp, status_index)

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-07-2023 02:44 PM 
| eval status_index = if(match(API,"/services/protected/v1/developers"), 6, 10)
| eval http_status=mvindex(temp, status_index)
0 Karma
Reply
Solved! Jump to solution

user33
Path Finder
‎02-08-2023 05:50 AM

What I am attempting to do below:

| eval temp=split(_raw," ")
| eval API=mvindex(temp,4,8)
```| eval http_status=mvindex(temp,6,10)```

| eval status_index = if(match(API,"/services/protected/v1/developers"), 4, 6)
| eval status_index1 = if(match(API,"/services/public/v1/signup"), 4, 6)
| eval status_index2 = if(match(API,"/wcaapi/userReg/wgt/apps"), 8, 10)
| eval http_status=mvindex(temp, status_index)


| search (
"/services/public/v1/signup" OR
"/services/protected/v1/developers" OR 
"/services/public/v1/captcha" OR 
"/wcaapi/userReg/wgt/apps"
)
| eval API = if(match(API,"/services/public/v1/signup"), "DEVP1: Signup", API)
| eval API = if(match(API,"/services/protected/v1/developers"), "DEVP1: Developers", API)
| eval API = if(match(API,"/services/public/v1/captcha"), "DEVP1: Captcha", API)
| eval API = if(match(API,"/wcaapi/userReg/wgt/apps"), "User Registration Enhanced Login", API)
0 Karma
Reply
Solved! Jump to solution

user33
Path Finder
‎02-08-2023 05:49 AM

Thank you!!

However, if I wanted to make more than one "status_index" for each API and then combine all status_indexes into one field called "http_status"; how would I do that?

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-08-2023 07:53 AM

I am not sure I understand what you are trying to do. Please can you share some sample events and highlight which part you want extracted to which field - rex might be an easier option for you.

0 Karma
Reply
Solved! Jump to solution

user33
Path Finder
‎02-08-2023 08:53 AM

Not a problem. It looks like I may have achieved it by modifying your solution. I had issues in the past with Regex so was hoping to use this. I am not sure what "null" does in the below "status_index" but it seems to work by not including frivolous information.

user33_0-1675875201520.png

 

| eval temp=split(_raw," ")
| eval status_index1 = if(match(API,"/services/protected/v1/developers"), 6, null)
| eval status_index2 = if(match(API,"/services/public/v1/signup"), 6, null)
| eval status_index3 = if(match(API,"/wcaapi/userReg/wgt/apps"), 10, null)
| eval http_status1 = mvindex(temp, status_index1)
| eval http_status2 = mvindex(temp, status_index2)
| eval http_status3 = mvindex(temp, status_index3)
| eval http_status = coalesce(http_status1, http_status2, http_status3)

| search (
"/services/public/v1/signup" OR
"/services/protected/v1/developers" OR 
"/services/public/v1/captcha" OR 
"/wcaapi/userReg/wgt/apps"
)
| search NOT "Mozilla"
| eval API = if(match(API,"/services/public/v1/signup"), "DEVP1: Signup", API)
| eval API = if(match(API,"/services/protected/v1/developers"), "DEVP1: Developers", API)
| eval API = if(match(API,"/services/public/v1/captcha"), "DEVP1: Captcha", API)
| eval API = if(match(API,"/wcaapi/userReg/wgt/apps"), "User Registration Enhanced Login", API)
| fields API, http_status, wf_env
| convert timeformat="%Y-%m" ctime(_time) AS Date
| stats count(http_status) as Total_Calls, count(eval(http_status>=500)) as Server_Error by Date, API, wf_env
| eval SuccessRate=round((1-(Server_Error/Total_Calls)) * 100,2)

 

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...