Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

If / Then Conditional.

codichulo
Loves-to-Learn
‎08-17-2020 09:24 PM

Heres what i'm trying to accomplish: 

requestID               status
123456                   errored
321654                  Success
789456                 errored

I'm Newbie, Maybe i'm going about this all wrong, and there maybe another way....but i don't think so based on what info i have. but heres what i got so far. I'm probably over-thinking this. 

index=someindex sourcetype=sometype "request syntax" OR "error syntax" OR "success syntax"
| rex field=_raw "request id: '(?<requestID>\d+)',\text"
| rex field=_raw ".*(?<error>Error response received)\stext"
| rex field=_raw ".*(?<Success>Database request executed):\stext"
| eval requestID =if(requestID=(error),"Errored", "Success")


Labels (1)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎08-17-2020 10:16 PM

There are a couple of oddities/errors in your query, e.g. there is no 's' after the \ in the request ID rex statement and the if statement would not need the () round error, however, it depends on your data as to what your query should look like - can you provide a sample?

However,  from your example query, this might be better (I have removed the trailing data outside the field capture group

index=someindex sourcetype=sometype "request syntax" OR "error syntax" OR "success syntax"
| rex field=_raw "request id: '(?<requestID>\d+)'"
| rex field=_raw ".*(?<error>Error response received)"
| rex field=_raw ".*(?<Success>Database request executed)"
| eval status=if(requestID=error,"Errored", "Success")

this is assuming that the rex statement extracting the field 'error' will give the same value as the requestID field. What is your intention with Success field extraction 

0 Karma
Reply

codichulo
Loves-to-Learn
‎08-18-2020 06:21 AM

oh sorry, the rex statements are working fine, i just removed identifiable info to make them look generic, and in doing so made them look in error. 

it was the eval statement that i couldn't get to work right. I'll try your suggestion. Thanks so much. 

 

0 Karma
Reply

to4kawa
Ultra Champion
‎08-17-2020 10:13 PM

what's the logs.
your regex is not good.

0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...