- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to evaluate and add if condition on stats data...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi team,
I created one query with rex command and stats command, it is working fine. Now I need to add another column which can evaluate the error details and should display the status as 'ignore' or 'follow-up'.
The query looks like - index=dev_master souce="testing source" |rex field=_raw "Error desc : (?<Err>[^\"|\<] |stats count by Err.
The result is looks like below :
Err count
server timeout, try after sometime 5
Web service error 8
Address element not found 2
Now I want to enhance the above query to get the output like below.
Err count Action
server timeout, try after sometime 5 Ignore
Web service error 8 follow-up
Address element not found 2 Ignore
Can anyone help me on this.
Thanks in Advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Agree with @Anonymous.
You could add on something like the following to your search:
...< original search > ...
| eval action=case(Err="server timeout, try after sometime","Ignore",Err="Web service error","follow-up",Err="Address element not found","Ignore")
The challenge with the above is that you may need to create a case statement for many different values of the Err field, depending on what you want to set the Action field to.
Alternatively, if there will only ever be two values for Action (I.E. "Follow-Up" and "Ignore"), then you could do something like the following and adjust it as needed.
... < original search > ...
| eval Action=if(Err="Web service error" OR Err="Something else" OR Err="another thing","Follow-Up","Ignore")
This will assign "Follow-Up" to the specific Err values that you call out, and then assign "Ignore" to everything else.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@jdunlea
I have written the case statement, it is working fine. But some times we are getting the log like "Address element not found - <<text>> ". I used the search predicates *, %, + for this <<text>>, but it is not working.
Can you please let me know the exact search predicate for this <<text>> inside the double quotes and in Case statement.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I understand you correctly, you tried to do something like that:
| eval field=if(field="*value*", [...])
Or something similar. In other words - you tried to match to a wildcarded string with a simple equality comparison, right?
Splunk doesn't work that way.
I know it can get confusing sometimes but this form of wildcard matching (field=value_*with_wildcards) works only with the search command (which includes the implicit search at the beginning of your pipeline.
Otherwise the equality operator is treated exactly as in - for example - programming languages and checks for equality (with a possible exception for multivalued fields but let's not dig into that at this point).
So in order to match a value against a partial pattern you need to use a matching function like:
- like()
- match()
- searchmatch()
See https://docs.splunk.com/Documentation/Splunk/9.0.1/SearchReference/ConditionalFunctions for detailed description and examples
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can do it using a match() statement within your case statement as follows:
...< original search > ...
| eval action=case(Err="server timeout, try after sometime","Ignore",match(Err,"Web service error"),"follow-up",Err="Address element not found","Ignore")
Hope this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Agree with @Anonymous.
You could add on something like the following to your search:
...< original search > ...
| eval action=case(Err="server timeout, try after sometime","Ignore",Err="Web service error","follow-up",Err="Address element not found","Ignore")
The challenge with the above is that you may need to create a case statement for many different values of the Err field, depending on what you want to set the Action field to.
Alternatively, if there will only ever be two values for Action (I.E. "Follow-Up" and "Ignore"), then you could do something like the following and adjust it as needed.
... < original search > ...
| eval Action=if(Err="Web service error" OR Err="Something else" OR Err="another thing","Follow-Up","Ignore")
This will assign "Follow-Up" to the specific Err values that you call out, and then assign "Ignore" to everything else.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You have your Err and count available as normal fields so there's no problem with doing a eval with if or a lookup based on either of those fields. If you want to do a lookup based on some original field or content of the _raw before aggregation, you shouldn't have used the stats (yet) because you've already aggregated the data and lost the original events.
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
