- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to add a conditional statement in searchmatch?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to add a conditional statement in searchmatch?
Hello,
I'm new to Splunk, so please pardon me if this is too easy of a question.
I'm trying to list attempted operation vs. passed operation and categorize it by apps. Below is the search that I have:
index="cts-test-app" source=*PERF* | rex "DN: (?<ConsumingApp>.*?)[}\s]" | stats count(eval(searchmatch("GET /Refid"))) AS "Attempted" count(eval(searchmatch("POST /refid"))) AS "Passed"
Now, for both operations, there could be another string indicator. Essentially I want to insert OR operation, something like this:
index="cts-test-app" source=*PERF* | rex "DN: (?<ConsumingApp>.*?)[}\s]" | stats count(eval(searchmatch(**"GET /Refid" OR "GET /SomeId"**))) AS "Attempted" count(eval(searchmatch(**"POST /refid" OR "POST /SomeId"**))) AS "Passed"
Is there a way to do this with searchmatch? If not, can this search be rewritten in a way that would achieve this objective?
Any help will be much appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This could be optimized based on your data. For example the part with "GET /something" could be available in some extracted fields (method, uri ?), or if not you maybe want to extract them as a field and then clean the SPL. But it should work looking at _raw:
index="cts-test-app" source=*PERF*
| rex "DN: (?<ConsumingApp>.*?)[}\s]"
| rex field=_raw "GET\s\/(?<attemped>(Refid|SomeId))"
| rex field=_raw "POST\s\/(?<passed>(refid|SomeId))"
| stats count(attempted), count(passed) by ConsumingApp
Note: For the attempted you wrote "Refid" and for the passed ones "refid", not sure if that reflects your data or if it were some random strings anyway...just make sure you have it right in your rex.
searchmatch might also work. I'm just not used to work with it.
Karma and/or Solution tagging appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That would work. What if I want to use a standalone string along with "GET /someid" - something like "resourcetoken" (string that doesn't contain GET). How do I transpire that into"GET\s\/(?<attemped>(Refid|SomeId))"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not sure if I got your question correct. But you could for example use the fields that you created in a search.
index="cts-test-app" source=*PERF*
| rex "DN: (?<ConsumingApp>.*?)[}\s]"
| rex field=_raw "GET\s\/(?<attemped>(Refid|SomeId))"
| search attempted AND "some string"
| stats count AS attemptedWithSomeString by ConsumingApp
| appendcols [
index="cts-test-app" source=*PERF*
| rex "DN: (?<ConsumingApp>.*?)[}\s]"
| rex field=_raw "GET\s\/(?<attemped>(Refid|SomeId))"
| search attempted AND "some other string"
| stats count AS attemptedWithSomeOtherString by ConsumingApp
]
This is using a subsearch (appendcols) and I usually don't use/like it. Just the first idea I came up with, without knowing your data. (And maybe not knowing what you want as a result 🙂 )
Could you maybe share some example logs and the result you want to have from it?
Karma and/or Solution tagging appreciated.
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
