Splunk Search

Match multiple items in If with Top

jkat54
SplunkTrust
SplunkTrust
index="test" host="*P*" "Type=Error" 
|eval Code = if(EventCode="10034","Access Denied",if(EventCode="5749","Port Timeout",if(EventCode="5778","Failed to Process",if(EventCode="10033","Unexpected Message","Other")))) 
| top Code

This gives me the results I'm looking for, but then I noticed there were a few other errors with EventCode="10034". So I wanted to separate the errors like this:

...| eval Code = if((EventCode="10034" AND Message="*InternalWriteEvent\*"),"Access Denied",...

Only when I do that, the EventCode 10034 with a message= *InternalWriteEvent* shows up as "Other".

Here's the source:

20120812150058.000000
Category=0
CategoryString=NULL
EventCode=10034
EventIdentifier=10034
EventType=1
Logfile=Application
RecordNumber=8043256
SourceName=XLANG/s
TimeGenerated=20120812200058.000000-000
TimeWritten=20120812200058.000000-000
Type=Error
User=NULL
ComputerName=HostName
wmi_type=WinEventLog:Application
Message=xlang/s engine event log entry: Uncaught exception (see the 'inner exception' below) has suspended an instance of service '(e9e7c7bd-18f4-9e4a-3c51-1b04f61e95fb)'.
The service instance will remain suspended until administratively resumed or terminated. 
If resumed the instance will continue from its last persisted state and may re-throw the same unexpected exception.
InstanceId: 85411cad-1e68-4921-abc3-8220a148cde9
Shape name: Declare Base Log
ShapeId: 33a466b0-4e84-49b3-bb0b-ba64131545eb
Exception thrown from: segment 2, progress 19
Inner exception: Access is denied

Exception type: Win32Exception
Source: System
Target Site: Void InternalWriteEvent(UInt32, UInt16, System.Diagnostics.EventLogEntryType, System.String[], Byte[], System.String)
The following is a stack trace that identifies the location where the exception occured

   at System.Diagnostics.EventLogInternal.InternalWriteEvent(UInt32 eventID, UInt16 category, EventLogEntryType type, String[] strings, Byte[] rawData, String currentMachineName)
   at System.Diagnostics.EventLogInternal.WriteEntry(String message, EventLogEntryType type, Int32 eventID, Int16 category, Byte[] rawData)
   at System.Diagnostics.EventLog.WriteEntry(String source, String message, EventLogEntryType type, Int32 eventID, Int16 category, Byte[] rawData)
   at Orchestration.segment2(StopConditions stopOn)
   at Microsoft.XLANGs.Core.SegmentScheduler.RunASegment(Segment s, StopConditions stopCond, Exception& exp)

Any help would be appreciated.

TIA

Tags (2)
0 Karma
1 Solution

lguinn2
Legend

I would use the case function instead. Also, you can't use wildcards in either the if function or the case function. See if this works.

index="test" host="*P*" "Type=Error" 
| eval Code="Other"
| eval Code=case(EventCode=="10034" AND match(Message,"InternalWriteEvent"),"Access Denied",
                 EventCode=="5749","Port Timeout",
                 EventCode=="5778","Failed to Process",
                 EventCode=="10033","Unexpected Message")
| top Code

View solution in original post

lguinn2
Legend

I would use the case function instead. Also, you can't use wildcards in either the if function or the case function. See if this works.

index="test" host="*P*" "Type=Error" 
| eval Code="Other"
| eval Code=case(EventCode=="10034" AND match(Message,"InternalWriteEvent"),"Access Denied",
                 EventCode=="5749","Port Timeout",
                 EventCode=="5778","Failed to Process",
                 EventCode=="10033","Unexpected Message")
| top Code

jkat54
SplunkTrust
SplunkTrust

Just solved, thanks to your example.

I changed my search to this:

index="test" host="*P*" "Type=Error" | eval Code = if(EventCode="10034" AND match(Message,"InternalWriteEvent"),"Access Denied",if(EventCode="5749","Port Timeout",if(EventCode="5778","Failed to Process",if(EventCode="10033","Unexpected Message","Other")))) | top Code

The example you gave wouldnt return "Other"s but did everything else correctly. The match(Message,"InternalWriteEvent") was key!

Thanks!

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...