Splunk Search

How do I write this search with a mvindex with a conditional?

user33
Path Finder

Hello,

I have the below SPL with the two mvindex functions.

mvindex position '6' in the array is supposed to apply http statuses for /developers. 

mvindex position '10' in the array is supposed to apply http statuses for /apps

Currently position 6 and 10 are crossing events. Applying to both APIs. Is there anyway I can have one mvindex apply to one command? 

 

(index=wf_pvsi_virt OR index=wf_pvsi_tmps) (sourcetype="wf:wca:access:txt" OR sourcetype="wf:devp1:access:txt") wf_env=PROD
| eval temp=split(_raw," ")
| eval API=mvindex(temp,4,8)
| eval http_status=mvindex(temp,6,10)
| search (
"/services/protected/v1/developers" OR
"/wcaapi/userReg/wgt/apps"
)
| search NOT "Mozilla"
| eval API = if(match(API,"/services/protected/v1/developers"), "DEVP1: Developers", API)
| eval API = if(match(API,"/wcaapi/userReg/wgt/apps"), "User Registration Enhanced Login", API)

 

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| eval status_index = if(match(API,"/services/protected/v1/developers"), 6, 10)
| eval http_status=mvindex(temp, status_index)

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| eval status_index = if(match(API,"/services/protected/v1/developers"), 6, 10)
| eval http_status=mvindex(temp, status_index)
0 Karma

user33
Path Finder

What I am attempting to do below:

| eval temp=split(_raw," ")
| eval API=mvindex(temp,4,8)
```| eval http_status=mvindex(temp,6,10)```

| eval status_index = if(match(API,"/services/protected/v1/developers"), 4, 6)
| eval status_index1 = if(match(API,"/services/public/v1/signup"), 4, 6)
| eval status_index2 = if(match(API,"/wcaapi/userReg/wgt/apps"), 8, 10)
| eval http_status=mvindex(temp, status_index)


| search (
"/services/public/v1/signup" OR
"/services/protected/v1/developers" OR 
"/services/public/v1/captcha" OR 
"/wcaapi/userReg/wgt/apps"
)
| eval API = if(match(API,"/services/public/v1/signup"), "DEVP1: Signup", API)
| eval API = if(match(API,"/services/protected/v1/developers"), "DEVP1: Developers", API)
| eval API = if(match(API,"/services/public/v1/captcha"), "DEVP1: Captcha", API)
| eval API = if(match(API,"/wcaapi/userReg/wgt/apps"), "User Registration Enhanced Login", API)
0 Karma

user33
Path Finder

Thank you!!

However, if I wanted to make more than one "status_index" for each API and then combine all status_indexes into one field called "http_status"; how would I do that?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

I am not sure I understand what you are trying to do. Please can you share some sample events and highlight which part you want extracted to which field - rex might be an easier option for you.

0 Karma

user33
Path Finder

Not a problem. It looks like I may have achieved it by modifying your solution. I had issues in the past with Regex so was hoping to use this. I am not sure what "null" does in the below "status_index" but it seems to work by not including frivolous information.

user33_0-1675875201520.png

 

| eval temp=split(_raw," ")
| eval status_index1 = if(match(API,"/services/protected/v1/developers"), 6, null)
| eval status_index2 = if(match(API,"/services/public/v1/signup"), 6, null)
| eval status_index3 = if(match(API,"/wcaapi/userReg/wgt/apps"), 10, null)
| eval http_status1 = mvindex(temp, status_index1)
| eval http_status2 = mvindex(temp, status_index2)
| eval http_status3 = mvindex(temp, status_index3)
| eval http_status = coalesce(http_status1, http_status2, http_status3)

| search (
"/services/public/v1/signup" OR
"/services/protected/v1/developers" OR 
"/services/public/v1/captcha" OR 
"/wcaapi/userReg/wgt/apps"
)
| search NOT "Mozilla"
| eval API = if(match(API,"/services/public/v1/signup"), "DEVP1: Signup", API)
| eval API = if(match(API,"/services/protected/v1/developers"), "DEVP1: Developers", API)
| eval API = if(match(API,"/services/public/v1/captcha"), "DEVP1: Captcha", API)
| eval API = if(match(API,"/wcaapi/userReg/wgt/apps"), "User Registration Enhanced Login", API)
| fields API, http_status, wf_env
| convert timeformat="%Y-%m" ctime(_time) AS Date
| stats count(http_status) as Total_Calls, count(eval(http_status>=500)) as Server_Error by Date, API, wf_env
| eval SuccessRate=round((1-(Server_Error/Total_Calls)) * 100,2)

 

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...