Re: How to add a conditional statement in searchma...

ank15july96 · ‎06-04-2020

Hello,

I'm new to Splunk, so please pardon me if this is too easy of a question.
I'm trying to list attempted operation vs. passed operation and categorize it by apps. Below is the search that I have:

index="cts-test-app" source=*PERF* | rex "DN: (?<ConsumingApp>.*?)[}\s]" | stats count(eval(searchmatch("GET /Refid"))) AS "Attempted" count(eval(searchmatch("POST /refid"))) AS "Passed"

Now, for both operations, there could be another string indicator. Essentially I want to insert OR operation, something like this:

 index="cts-test-app" source=*PERF* | rex "DN: (?<ConsumingApp>.*?)[}\s]" | stats count(eval(searchmatch(**"GET /Refid" OR "GET /SomeId"**))) AS "Attempted" count(eval(searchmatch(**"POST /refid" OR "POST /SomeId"**))) AS "Passed"

Is there a way to do this with searchmatch? If not, can this search be rewritten in a way that would achieve this objective?

Any help will be much appreciated.

rnowitzki · ‎06-04-2020

This could be optimized based on your data. For example the part with "GET /something" could be available in some extracted fields (method, uri ?), or if not you maybe want to extract them as a field and then clean the SPL. But it should work looking at _raw:

index="cts-test-app" source=*PERF* 
| rex "DN: (?<ConsumingApp>.*?)[}\s]" 
| rex field=_raw "GET\s\/(?<attemped>(Refid|SomeId))" 
| rex field=_raw "POST\s\/(?<passed>(refid|SomeId))" 
| stats count(attempted), count(passed) by ConsumingApp

Note: For the attempted you wrote "Refid" and for the passed ones "refid", not sure if that reflects your data or if it were some random strings anyway...just make sure you have it right in your rex.

searchmatch might also work. I'm just not used to work with it.

--
Karma and/or Solution tagging appreciated.

ank15july96 · ‎06-04-2020

That would work. What if I want to use a standalone string along with "GET /someid" - something like "resourcetoken" (string that doesn't contain GET). How do I transpire that into"GET\s\/(?<attemped>(Refid|SomeId))"

rnowitzki · ‎06-10-2020

Not sure if I got your question correct. But you could for example use the fields that you created in a search.

index="cts-test-app" source=*PERF* 
| rex "DN: (?<ConsumingApp>.*?)[}\s]" 
| rex field=_raw "GET\s\/(?<attemped>(Refid|SomeId))" 
| search attempted AND "some string"
| stats count AS attemptedWithSomeString by ConsumingApp
| appendcols [
index="cts-test-app" source=*PERF* 
| rex "DN: (?<ConsumingApp>.*?)[}\s]" 
| rex field=_raw "GET\s\/(?<attemped>(Refid|SomeId))" 
| search attempted AND "some other string"
| stats count AS attemptedWithSomeOtherString by ConsumingApp
]

This is using a subsearch (appendcols) and I usually don't use/like it. Just the first idea I came up with, without knowing your data. (And maybe not knowing what you want as a result 🙂 )

Could you maybe share some example logs and the result you want to have from it?

--
Karma and/or Solution tagging appreciated.

How to add a conditional statement in searchmatch?

eval

stats

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Join the Conversation