Splunk Search

How to add a conditional statement in searchmatch?

New Member

Hello,

I'm new to Splunk, so please pardon me if this is too easy of a question.
I'm trying to list attempted operation vs. passed operation and categorize it by apps. Below is the search that I have:

index="cts-test-app" source=*PERF* | rex "DN: (?<ConsumingApp>.*?)[}\s]" | stats count(eval(searchmatch("GET /Refid"))) AS "Attempted" count(eval(searchmatch("POST /refid"))) AS "Passed" 

Now, for both operations, there could be another string indicator. Essentially I want to insert OR operation, something like this:

 index="cts-test-app" source=*PERF* | rex "DN: (?<ConsumingApp>.*?)[}\s]" | stats count(eval(searchmatch(**"GET /Refid" OR "GET /SomeId"**))) AS "Attempted" count(eval(searchmatch(**"POST /refid" OR "POST /SomeId"**))) AS "Passed" 

Is there a way to do this with searchmatch? If not, can this search be rewritten in a way that would achieve this objective?

Any help will be much appreciated.

Labels (2)
0 Karma

Builder

This could be optimized based on your data. For example the part with "GET /something" could be available in some extracted fields (method, uri ?), or if not you maybe want to extract them as a field and then clean the SPL. But it should work looking at _raw:

index="cts-test-app" source=*PERF* 
| rex "DN: (?<ConsumingApp>.*?)[}\s]" 
| rex field=_raw "GET\s\/(?<attemped>(Refid|SomeId))" 
| rex field=_raw "POST\s\/(?<passed>(refid|SomeId))" 
| stats count(attempted), count(passed) by ConsumingApp

Note: For the attempted you wrote "Refid" and for the passed ones "refid", not sure if that reflects your data or if it were some random strings anyway...just make sure you have it right in your rex.

searchmatch might also work. I'm just not used to work with it.

--
Karma and/or Solution tagging appreciated.
0 Karma

New Member

That would work. What if I want to use a standalone string along with "GET /someid" - something like "resourcetoken" (string that doesn't contain GET). How do I transpire that into"GET\s\/(?<attemped>(Refid|SomeId))"

0 Karma

Builder

Not sure if I got your question correct. But you could for example use the fields that you created in a search.

index="cts-test-app" source=*PERF* 
| rex "DN: (?<ConsumingApp>.*?)[}\s]" 
| rex field=_raw "GET\s\/(?<attemped>(Refid|SomeId))" 
| search attempted AND "some string"
| stats count AS attemptedWithSomeString by ConsumingApp
| appendcols [
index="cts-test-app" source=*PERF* 
| rex "DN: (?<ConsumingApp>.*?)[}\s]" 
| rex field=_raw "GET\s\/(?<attemped>(Refid|SomeId))" 
| search attempted AND "some other string"
| stats count AS attemptedWithSomeOtherString by ConsumingApp
]


This is using a subsearch (appendcols) and I usually don't use/like it. Just the first idea I came up with, without knowing your data. (And maybe not knowing what you want as a result 🙂 )

Could you maybe share some example logs and the result you want to have from it?

--
Karma and/or Solution tagging appreciated.
0 Karma