Splunk Search

How to write a splunk query, where I need to send an alert if the count of both queries are not same?

New Member

I am writing a Splunk query where I need to send an alert if the count of both queries are not same. I am trying something like this -

 (index=staging AND "service-name" )
  AND {"first" | stats count by data.message} as
  query1 AND {"second" |
  stats count by data.message}   as
  query2 | eval
  compare=if(match(query1,query2),"True","False")

This doesn't return anything. Can anyone point me in the right direction ?

Query 1-
index=staging "service-name" "First message" | timechart count by data.status

Query 2-
index=staging "service-name" "Second message" | timechart count by data.status

In my code I am saving logs like ( "Second message length{length} date{date}) length is something that I am setting dynamically in my code. date will be today's date or any random date.

So, basically I need to extract the value of length from Query 2 where date = "some random date"

and then I will compare it with the count of Query 1

0 Karma

Great! Then this should do the trick:

index=staging AND "service-name" AND "First message" OR "Second message"
| stats count(eval(like(_raw, "%First message%"))) AS first_count count(eval(like(_raw, "%Second message%"))) AS second_count BY data.status
| eval compare=if(query1=query2, "True", "False")

If that displays what you are expecting, then you can add this to the end:

| search compare="True"

Configure the alert to trigger if the result count is greater than 0.

EDIT: Converted this to an answer, since you upvoted it. Did it resolve your question? If not, I'll keep helping.

0 Karma

New Member

[EDIT]
That worked but I just slightly changed the way I am saving logs to splunk.

So in Query 2-
In my code I am saving like ( "Second message length{length} date{date}) length is something that I am setting dynamically in my code. date will be today's date.

So, basically I will be extracting the value of length from Query 2 where date = "some random date"

and then I will compare it with the count of Query 1
Query 1-
index=staging "service-name" "First message" | timechart count by data.status

0 Karma

Are "first" and "second" meant to stand in just for keywords here? Are you literally searching for one keyword and counting the number of matching data.message events and then searching for a second keyword and counting the matching data.message events? If so, this could work:

index=staging AND "service-name" AND "first" OR "second"
| stats count(eval(like(_raw, "%first%"))) AS first_count count(eval(like(_raw, "%second%"))) AS second_count BY data.message
| eval compare=if(query1=query2, "True", "False")

But if you are actually looking for the values "first" and "second" in specific fields, then you should replace both instances of _raw above with the names of the fields, as this will make the search much more efficient.

0 Karma

New Member

Thank you for quick reply.

"First" is literally a keyword that's how I am saving my logs to splunk

But in the case of "second" I am actually logging a hashtable.

So in my code I am doing something like this ("second", List( of Objects )) where "Second" is the key name. Value is the List( of Objects ). I will be actually comparing the count List( of Objects ) with the count of "First"

0 Karma

Hmm...I don't totally follow the logic there. Could you post two full working queries where the first full query returns the value you're hoping to assign into query1 and the second returns the value you're hoping to assign to query2? I can help you combine them if I'm working with real code and not pseudo-code. It's fine for you to obfuscate/redact sensitive values or field names, but try to replace them with something meaningful so that the code still makes sense.

0 Karma

New Member

So my query looks like -
Query 1-
index=staging "service-name" "First message" | timechart count by data.status

Query 2-
index=staging "service-name" "Second message" | timechart count by data.status

(This second query is bit tricky, as I need to extract the total items from a hashtable (which I am logging to splunk). So the count of Query 2 will be total items in that hashtable where key = "Second message" )

And then I need to send an alert if Count of Query 1 is not equal to Query 2

0 Karma