Splunk Search

How to get match to work with two sources

rossparfect
Path Finder

Okay so here's the problem, 2 sources and I have to rex out a file name and match it to a field within another file if it matches show success it if fails show failed, all sounds achievable in Splunk, but I keep hitting a problem that it will show a success match but won't show a failed match,

Heres the code ( I've changed the fields etc but see below):

Any help on this would be great Im new to splunk 
index="sample_log" sourcetype="STAR:OUT:ALL" | rename Trans_Name as REF |lookup REF APPL-FILENAME as Stream_Name |join 
REF [search index="sample_log" sourcetype="STAR:OUT:ACK" | rex field=source "ACK
_(?<REF>\w+)_" ]
|rex field=source "_(?<STP_Process_Time>\d{14})."
| eval results = if(match('REF', "\w{10}\d{6}\w+"), "Success", "Failed")
|table results
0 Karma

Sukisen1981
Champion

hmm you are performing a join by REF and you extract a rex also as REF.
So, what happens? by default the join command takes common field (A intersection B in set language), are you sure you , in fact have REF fields which should return failed?
The intersection join be default will return events (with REF field) common to both searches. Do the common REF fields have the same pattern as your match regex?

0 Karma

MuS
Legend

Hi rossparfect,

give this a try:

(index="sample_log" sourcetype="STAR:OUT:ALL") OR (index="sample_log" sourcetype="STAR:OUT:ACK" )
| rex field=source "ACK _(?<REF>\w+)_"
| eval REF=case(isnotnull(Trans_Name),  Trans_Name, isnotnull(REF), REF, 1=1, "unknown") 
| lookup REF APPL-FILENAME as Stream_Name 
| rex field=source "_(?<STP_Process_Time>\d{14})."
| eval results = if(match(REF, "\w{10}\d{6}\w+"), "Success", "Failed")
| table results

If this still does not work, start removing | SPL from the back until you get the expected results.

Otherwise provide some sanitised sample events and the expect result and it will be easier to help.

Hope this helps ...

cheers, MuS

0 Karma

rossparfect
Path Finder

Ill give that a shot and get back to you thanks Mus ( should add ive been reading all your other answers and your splunk conf presentations) all good stuff ( that said I think Ive ended up down a dark hole with this one,

Ill update shortly,

Thanks

Ross

0 Karma

rossparfect
Path Finder

Hi Mus , Ill add some tomorrow, its 23:36 in the Uk and Im knackered, however if I do a stats values and an MV expand i do get a result that the fields match, however cant do much after that with that search, Ill post that up tomorrow as well,

Thanks for your help so far,

0 Karma

rossparfect
Path Finder

Evening Mus

Ok another day at it and still struggling ( tried a case statement and it works when I put in the txt for the ref and compare) but not when I try and compare the 2 fields.

So heres some example sources and sourcetypes

Source type one - obi:one:ken:out
Source type two - obi:one:ken:ack

source - ack_123456aaabbb_13052019.csv - contents Success
souce starwars_outbound.csv - contents Transmission / 123456aaabbb

What needs to happen

I need to extract the tranmission from the source file and then match it to the contents in the outbound.csv file.

I then need to put all the details in a table with additional fields from a lookup and contents from the file, but and this is where it starts to fall down,

If there isnt a match or the source file doesnt exist ( it may come in later) then I need to show that as failed.

The best I can get is either having it working using stats(values) and an MVexpand which doesnt allow me much else that I can display, or just having a success being displayed, for example for 2 out of the 5 files,

When I should see the following

Transmission Outtype Filetype Acknowledgement Time
123456aaabbb D Light Success
123456aaaccc E sabre failed

0 Karma

MuS
Legend

You're provided samples here that will never match the initial posted search

For example you're doing a regex on source for ACK but provide source as ack_ above, the other thing is that REF should match another regex of 10 any word characters followed by 6 digits followed by one or more any word character but the provided sample contains 6 digits followed by 6 any word characters ¯\_(ツ)_/¯

You really should provide some real sample events, otherwise there is no way I can help you.

cheers, MuS

0 Karma

rossparfect
Path Finder

thanks Mus,

Alas cant post any real events due to the company I work for,

However apologies yes it should be ACK,

So for example ( and these are as close as I can get to real events)

File one is

Outside_SHM300TW_20190730.csv

Contents in it

XAHBAABCXX21081AA,SHM300TW

Which has to then be matched to a different source that has the long ref number in the title of the CSV

so

ACK_XAHBAABCXX21081AA_20190730.csv

So what I need to do is regex out the number after the ACK and then match it to contents of the other file,

however I also need to show the events that dont have a match yet,

Hopefully that helps as thats the closest I can get to sharing events ( as Ive had to make these up based on the actual events)

thanks

Ross

0 Karma

rossparfect
Path Finder

Hi Mus,

Feel free to swear on this one ( Im scottish so do it alot) however Ive sorted my issue,

I spoke to the data owners again and I have used and outer to do the join then a eval on if the actual process time is present for the ack file ( as if it isnt there isnt an ack file), this allows me to show a result or not sent,

So all in all, now can have a Acknowledgement of either success or Not sent,

Thanks for your help though and Ill continue watching the videos, ppts and following you on Splunk answers.

onwards and upwards

Thanks

Ross

0 Karma

MuS
Legend

HaHA, no reason to swear 😉

Glad you made it work for you in the end!

Slàinte, MuS

0 Karma

MuS
Legend

HaHA, nice played Sir 😉

0 Karma

rossparfect
Path Finder

Hi Mus cant attach files do you have an email address I can send to ?

0 Karma

rossparfect
Path Finder

or example would be as follows

CSV files and outbound file and then an inbound acknowledgement file,

The outbound would have the field transmission inside the file

transmission
123456

the ack file would only have success in the file itself but in the file name would have

123456

so I have to extract the file name from the ack file and then match it to a field name in another file, all with different sources.

I can get it to show a success but it wont show any failed files (which is what we need as well), tried the above and it came back with 5 out of 5 but should only have 2 out of five,

0 Karma

MuS
Legend

It sounds/look to me the regex does not match correct, can you add a list of some REF values here?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...