Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to write a splunk query, where I need to send an alert if the count of both queries are not same?

amar85
New Member
‎02-12-2018 02:20 PM

I am writing a Splunk query where I need to send an alert if the count of both queries are not same. I am trying something like this - 

 (index=staging AND "service-name" )
  AND {"first" | stats count by data.message} as
  query1 AND {"second" |
  stats count by data.message}   as
  query2 | eval
  compare=if(match(query1,query2),"True","False")

This doesn't return anything. Can anyone point me in the right direction ?

Query 1-
index=staging "service-name" "First message" | timechart count by data.status

Query 2-
index=staging "service-name" "Second message" | timechart count by data.status

In my code I am saving logs like ( "Second message length{length} date{date}) length is something that I am setting dynamically in my code. date will be today's date or any random date.

So, basically I need to extract the value of length from Query 2 where date = "some random date"

and then I will compare it with the count of Query 1

0 Karma
Reply

elliotproebstel
Champion
‎02-13-2018 10:34 AM

Great! Then this should do the trick:

index=staging AND "service-name" AND "First message" OR "Second message"
| stats count(eval(like(_raw, "%First message%"))) AS first_count count(eval(like(_raw, "%Second message%"))) AS second_count BY data.status
| eval compare=if(query1=query2, "True", "False")

If that displays what you are expecting, then you can add this to the end:

| search compare="True"

Configure the alert to trigger if the result count is greater than 0.

EDIT: Converted this to an answer, since you upvoted it. Did it resolve your question? If not, I'll keep helping.

0 Karma
Reply

amar85
New Member
‎02-13-2018 02:50 PM

[EDIT]
That worked but I just slightly changed the way I am saving logs to splunk.

So in Query 2-
In my code I am saving like ( "Second message length{length} date{date}) length is something that I am setting dynamically in my code. date will be today's date.

So, basically I will be extracting the value of length from Query 2 where date = "some random date"

and then I will compare it with the count of Query 1
Query 1-
index=staging "service-name" "First message" | timechart count by data.status

0 Karma
Reply

elliotproebstel
Champion
‎02-12-2018 02:32 PM

Are "first" and "second" meant to stand in just for keywords here? Are you literally searching for one keyword and counting the number of matching data.message events and then searching for a second keyword and counting the matching data.message events? If so, this could work:

index=staging AND "service-name" AND "first" OR "second"
| stats count(eval(like(_raw, "%first%"))) AS first_count count(eval(like(_raw, "%second%"))) AS second_count BY data.message
| eval compare=if(query1=query2, "True", "False")

But if you are actually looking for the values "first" and "second" in specific fields, then you should replace both instances of _raw above with the names of the fields, as this will make the search much more efficient.

0 Karma
Reply

amar85
New Member
‎02-12-2018 02:40 PM

Thank you for quick reply.

"First" is literally a keyword that's how I am saving my logs to splunk

But in the case of "second" I am actually logging a hashtable.

So in my code I am doing something like this ("second", List( of Objects )) where "Second" is the key name. Value is the List( of Objects ). I will be actually comparing the count List( of Objects ) with the count of "First"

0 Karma
Reply

elliotproebstel
Champion
‎02-13-2018 06:32 AM

Hmm...I don't totally follow the logic there. Could you post two full working queries where the first full query returns the value you're hoping to assign into query1 and the second returns the value you're hoping to assign to query2? I can help you combine them if I'm working with real code and not pseudo-code. It's fine for you to obfuscate/redact sensitive values or field names, but try to replace them with something meaningful so that the code still makes sense.

0 Karma
Reply

amar85
New Member
‎02-13-2018 10:26 AM

So my query looks like -
Query 1-
index=staging "service-name" "First message" | timechart count by data.status

Query 2-
index=staging "service-name" "Second message" | timechart count by data.status

(This second query is bit tricky, as I need to extract the total items from a hashtable (which I am logging to splunk). So the count of Query 2 will be total items in that hashtable where key = "Second message" )

And then I need to send an alert if Count of Query 1 is not equal to Query 2

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...