Splunk Search

How to find users that had only errors for certain event?

dsnytkine
Engager

We have log entries in format like this:

LogLevel=info  username=some1 eventID=update

So in case of error the LogLevel will be LogLevel=error
LogLevel can also be debug

What I need to do is to find all users that had eventID=update but always had LogLevel=error and present them in table format
Username | count

If I simply search
eventID=update LogLevel=error then I will get all matching entries for users with LogLevel=error but some of these users probably also had entries with LogLevel=info (or debug)
How do I find users that had only LogLevel=error with this eventID?

0 Karma
1 Solution

tiagofbmm
Influencer

This gets you all the users with eventID="update" and only had log_level equals to error.

index=yourindex eventID="update"
| stats sum(eval(if(log_level!="error",1,0))) as HadOtherLogLevels by user
| where HadOtherLogLevels==0

Was this what you intended?

View solution in original post

0 Karma

tiagofbmm
Influencer

This gets you all the users with eventID="update" and only had log_level equals to error.

index=yourindex eventID="update"
| stats sum(eval(if(log_level!="error",1,0))) as HadOtherLogLevels by user
| where HadOtherLogLevels==0

Was this what you intended?

0 Karma

dsnytkine
Engager

Sounds like this is what I need. Is this the most efficient way? Thank you, I will test the solution.

0 Karma

dsnytkine
Engager

Yes, it worked, thank you. I'm wondering how common is this scenario?

0 Karma

Splunk's _internal logs also maintains log_level as "INFO", "ERROR","WARN" and "FATAL". So with a query like this you can search for the Splunk component which has always thrown error. For example after upgrade, install or config change etc. to isolate the issue. There could be several different use cases on similar lines.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

tiagofbmm
Influencer

Great. Honestly never had seen that requirement, but it is under the normal logic of splunk things

0 Karma

@dsnytkine, can you please try the following?

<YourBaseSeach> LogLevel="*" eventID="update"
| stats dc(LogLevel) as distinctCountLogLevel values(LogLevel) as LogLevels by username
| search distinctCountLogLevel=1 AND LogLevels="ERROR"

The values() statistical function gives unique values of LogLevel. Similarly dc() gives distinct count of LogLevel values. So only results filtered are those which have only one unique LogLevel and that value is ERROR.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

dsnytkine
Engager

Looks like it worked too, very interesting solution.

0 Karma
Get Updates on the Splunk Community!

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...