Splunk Search

How to edit my stats search to display certain fields based on a resulting value?

randymoore
Explorer

I have some data that looks like:

Status   Rec_Cnt   Message
OK       723       File produced 723 records
ERROR    123       Directory does not exist

What I want is for Status = "OK" to only display the Status and Rec_Cnt fields. If the status!="OK", then I want to display Status, Rec_Cnt and Message

so I tried

| ...base search...
| stats count by Status, Rec_Cnt 
| where Status!="OK"
| stats count by Status, Rec_Cnt, Message

Which I didn't expect to work, and it did not. I know it is not that simple, but I am at a loss as to how to get what I am looking for.

Ideas on what I should try next?

0 Karma

sundareshr
Legend

How about this

| ...base search...
| stats count values(eval(Status="OK", "", Message)) as Message by Status, Rec_Cnt 
0 Karma

randymoore
Explorer

That's much closer than what I had going on! Thanks

The only thing is that this is going to be a table on a dashboard panel, and there will only ever be 1 line of data (the latest event) displayed. I don't really want the NOC folks to see a message field unless there is a problem (status!=OK). The reason being is that after time, human nature will just glance up at the panel and will always see a "message" column (even a blank one) and discount it as normal, even if there is data displayed there.

Successful operations should just display 2 columns Status and Rec_Cnt, Message is for when there is an issue.

0 Karma

sundareshr
Legend

In that case, try this (this is just a brain dump, please review and tweak as needed)

<dashboard>
   <search id="panel_logic">
      <query>... base search ... NOT (Status="OK")</query>
      <earliest>@d</earliest>
      <latest>now</latest>
      <done>
           <condition match="'job.resultCount' > 0">
               <set token="show_error">true</set>
               <unset token="exec_search" />
           </condition>
           <condition>
               <unset token="show_error" />
               <set token="exec_search">yes</set>
           </condition>
       </done>
   </search>
<!--- this is the panel with query for success ONLY  with 2 columns-->
<panel rejects="$show_error$>
<table>
<search>
...
</table>

<!--- this is the  panel with query for success AND failure with 3 columns-->
<panel depends="$show_error$>
<table>
<search>
...
</table>

Now, depends & rejects will only show/hide the panel if criteria is met, the search for the panel will executE, resulting in 3 searches in your dashboard. to minimize the number of times search gets executed, add the following to the respective searches. This will cause the search to wait for these specific tokens to be set. You can hide these fields from final display.

Search for success only add eval exec_search="$exec_search$"
Search for error condition add, eval show_error="$show_error$"

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...