Splunk Search

Match multiple items in If with Top

jkat54
SplunkTrust
SplunkTrust
index="test" host="*P*" "Type=Error" 
|eval Code = if(EventCode="10034","Access Denied",if(EventCode="5749","Port Timeout",if(EventCode="5778","Failed to Process",if(EventCode="10033","Unexpected Message","Other")))) 
| top Code

This gives me the results I'm looking for, but then I noticed there were a few other errors with EventCode="10034". So I wanted to separate the errors like this:

...| eval Code = if((EventCode="10034" AND Message="*InternalWriteEvent\*"),"Access Denied",...

Only when I do that, the EventCode 10034 with a message= *InternalWriteEvent* shows up as "Other".

Here's the source:

20120812150058.000000
Category=0
CategoryString=NULL
EventCode=10034
EventIdentifier=10034
EventType=1
Logfile=Application
RecordNumber=8043256
SourceName=XLANG/s
TimeGenerated=20120812200058.000000-000
TimeWritten=20120812200058.000000-000
Type=Error
User=NULL
ComputerName=HostName
wmi_type=WinEventLog:Application
Message=xlang/s engine event log entry: Uncaught exception (see the 'inner exception' below) has suspended an instance of service '(e9e7c7bd-18f4-9e4a-3c51-1b04f61e95fb)'.
The service instance will remain suspended until administratively resumed or terminated. 
If resumed the instance will continue from its last persisted state and may re-throw the same unexpected exception.
InstanceId: 85411cad-1e68-4921-abc3-8220a148cde9
Shape name: Declare Base Log
ShapeId: 33a466b0-4e84-49b3-bb0b-ba64131545eb
Exception thrown from: segment 2, progress 19
Inner exception: Access is denied

Exception type: Win32Exception
Source: System
Target Site: Void InternalWriteEvent(UInt32, UInt16, System.Diagnostics.EventLogEntryType, System.String[], Byte[], System.String)
The following is a stack trace that identifies the location where the exception occured

   at System.Diagnostics.EventLogInternal.InternalWriteEvent(UInt32 eventID, UInt16 category, EventLogEntryType type, String[] strings, Byte[] rawData, String currentMachineName)
   at System.Diagnostics.EventLogInternal.WriteEntry(String message, EventLogEntryType type, Int32 eventID, Int16 category, Byte[] rawData)
   at System.Diagnostics.EventLog.WriteEntry(String source, String message, EventLogEntryType type, Int32 eventID, Int16 category, Byte[] rawData)
   at Orchestration.segment2(StopConditions stopOn)
   at Microsoft.XLANGs.Core.SegmentScheduler.RunASegment(Segment s, StopConditions stopCond, Exception& exp)

Any help would be appreciated.

TIA

Tags (2)
0 Karma
1 Solution

lguinn2
Legend

I would use the case function instead. Also, you can't use wildcards in either the if function or the case function. See if this works.

index="test" host="*P*" "Type=Error" 
| eval Code="Other"
| eval Code=case(EventCode=="10034" AND match(Message,"InternalWriteEvent"),"Access Denied",
                 EventCode=="5749","Port Timeout",
                 EventCode=="5778","Failed to Process",
                 EventCode=="10033","Unexpected Message")
| top Code

View solution in original post

lguinn2
Legend

I would use the case function instead. Also, you can't use wildcards in either the if function or the case function. See if this works.

index="test" host="*P*" "Type=Error" 
| eval Code="Other"
| eval Code=case(EventCode=="10034" AND match(Message,"InternalWriteEvent"),"Access Denied",
                 EventCode=="5749","Port Timeout",
                 EventCode=="5778","Failed to Process",
                 EventCode=="10033","Unexpected Message")
| top Code

jkat54
SplunkTrust
SplunkTrust

Just solved, thanks to your example.

I changed my search to this:

index="test" host="*P*" "Type=Error" | eval Code = if(EventCode="10034" AND match(Message,"InternalWriteEvent"),"Access Denied",if(EventCode="5749","Port Timeout",if(EventCode="5778","Failed to Process",if(EventCode="10033","Unexpected Message","Other")))) | top Code

The example you gave wouldnt return "Other"s but did everything else correctly. The match(Message,"InternalWriteEvent") was key!

Thanks!

0 Karma
Get Updates on the Splunk Community!

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...

Platform Highlights | January 2023 Newsletter

 January 2023Peace on Earth and Peace of Mind With Business ResilienceAll organizations can start the new year ...