Splunk Search

Limitations with searchmatch() eval function?

Super Champion

Is there any weird issues with using multiple searchmatch() expressions within a single eval command?

I have a transaction search in which I'm using an eval to assigning my transaction a simple Pass/Fail kind of field. The transactions are summarized and shown on a table in a dashboard. It occurred to me, based on some newly encountered failure scenarios, that I could use splunk to elaborate on the status a little and look for a few specific failure situations, which is when I ran into some trouble...

My original pass/fail logic was like so:

... | eval complete=if(searchmatch("Building Transmission") AND searchmatch("\"sent to Trading Networks\""), "True", "False")

So to expand on this, I decided to use case() rather than if() to easily handle additional status values. I ended up with a search command like this:

... | eval status=case(
    searchmatch("B2B.Invoice.Admin:recoverFailedTransmission -- Sucessfully"), "Removed",
    searchmatch("Systematic failure"), "System Failure",
    (searchmatch("Building Transmission") AND searchmatch("\"sent to Trading Networks\"")), "OK",  
    0==0, "Incomplete")

However, this results in nearly all the transactions being incorrectly assigned the status of "Removed" (the very first condition.) Another event was marked with "Incomplete", when it should have been marked with "System Failure". So basically I got a bunch of incorrect results.

However, if I write my eval using a couple more match()s and less searchmatch()s, then the same logic above seems to work:

... | eval status=case(match(_raw, "(?ms).*? B2B\.Invoice\.Admin:recoverFailedTransmission -- Sucessfully .+"), "Removed",
    match(_raw, "(?ms).*? Systematic failure .*"), "System Failure",
    (searchmatch("Building Transmission") AND searchmatch("sent to Trading Networks")), "OK", 
    0==0, "Incomplete")

This is why I'm wondering if I'm running into some weird limitation. Can anyone see a problem in my logic?

Has anyone used a series of searchmatch() expressions like this before successfully?


I've also tried breaking apart the search to separate out the various searchmatch() commands. This approach also works, even if it is a bit tedious:

... | eval status_removed=if(searchmatch("B2B.Invoice.Admin:recoverFailedTransmission -- Sucessfully"),1,0)
    | eval status_sysfail=if(searchmatch("Systematic failure"),1,0)
    | eval status_bt=if(searchmatch("Building Transmission"),1,0)
    | eval status_tn=if(searchmatch("\"sent to Trading Networks\""),1,0)
    | eval status=case(status_removed==1, "Removed", status_sysfail==1, "System Failure",  (status_bt==1 AND status_tn==1), "OK",  0==0, "Incomplete")
    | fields status*


Your second example appears to be incorrect:

. | eval status=case(
searchmatch("B2B.Invoice.Admin:recoverFailedTransmission -- Sucessfully"), "Removed", 
searchmatch("Systematic failure", "System Failure"),  
(searchmatch("Building Transmission") AND searchmatch("\"sent to Trading Networks\"")), "OK",  
0==0, "Incomplete")

See the searchmatch in the second line? Shouldn't it be something like:

searchmatch("Systematic failure"), "System Failure",

(notice the parenthesis)

0 Karma

Super Champion

Good catch. Unfortunately that was simply a posting bug on my part. I've corrected the example above, and tried re running it (just to be sure) but I'm still getting the same wacky results with search #2. Any other ideas?

0 Karma
Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! 🌈 In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...