Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Match multiple items in If with Top
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jkat54
SplunkTrust
08-13-2012
09:23 AM
index="test" host="*P*" "Type=Error"
|eval Code = if(EventCode="10034","Access Denied",if(EventCode="5749","Port Timeout",if(EventCode="5778","Failed to Process",if(EventCode="10033","Unexpected Message","Other"))))
| top Code
This gives me the results I'm looking for, but then I noticed there were a few other errors with EventCode="10034". So I wanted to separate the errors like this:
...| eval Code = if((EventCode="10034" AND Message="*InternalWriteEvent\*"),"Access Denied",...
Only when I do that, the EventCode 10034 with a message= *InternalWriteEvent* shows up as "Other".
Here's the source:
20120812150058.000000
Category=0
CategoryString=NULL
EventCode=10034
EventIdentifier=10034
EventType=1
Logfile=Application
RecordNumber=8043256
SourceName=XLANG/s
TimeGenerated=20120812200058.000000-000
TimeWritten=20120812200058.000000-000
Type=Error
User=NULL
ComputerName=HostName
wmi_type=WinEventLog:Application
Message=xlang/s engine event log entry: Uncaught exception (see the 'inner exception' below) has suspended an instance of service '(e9e7c7bd-18f4-9e4a-3c51-1b04f61e95fb)'.
The service instance will remain suspended until administratively resumed or terminated.
If resumed the instance will continue from its last persisted state and may re-throw the same unexpected exception.
InstanceId: 85411cad-1e68-4921-abc3-8220a148cde9
Shape name: Declare Base Log
ShapeId: 33a466b0-4e84-49b3-bb0b-ba64131545eb
Exception thrown from: segment 2, progress 19
Inner exception: Access is denied
Exception type: Win32Exception
Source: System
Target Site: Void InternalWriteEvent(UInt32, UInt16, System.Diagnostics.EventLogEntryType, System.String[], Byte[], System.String)
The following is a stack trace that identifies the location where the exception occured
at System.Diagnostics.EventLogInternal.InternalWriteEvent(UInt32 eventID, UInt16 category, EventLogEntryType type, String[] strings, Byte[] rawData, String currentMachineName)
at System.Diagnostics.EventLogInternal.WriteEntry(String message, EventLogEntryType type, Int32 eventID, Int16 category, Byte[] rawData)
at System.Diagnostics.EventLog.WriteEntry(String source, String message, EventLogEntryType type, Int32 eventID, Int16 category, Byte[] rawData)
at Orchestration.segment2(StopConditions stopOn)
at Microsoft.XLANGs.Core.SegmentScheduler.RunASegment(Segment s, StopConditions stopCond, Exception& exp)
Any help would be appreciated.
TIA
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lguinn2
Legend
08-13-2012
10:23 AM
I would use the case function instead. Also, you can't use wildcards in either the if function or the case function. See if this works.
index="test" host="*P*" "Type=Error"
| eval Code="Other"
| eval Code=case(EventCode=="10034" AND match(Message,"InternalWriteEvent"),"Access Denied",
EventCode=="5749","Port Timeout",
EventCode=="5778","Failed to Process",
EventCode=="10033","Unexpected Message")
| top Code
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lguinn2
Legend
08-13-2012
10:23 AM
I would use the case function instead. Also, you can't use wildcards in either the if function or the case function. See if this works.
index="test" host="*P*" "Type=Error"
| eval Code="Other"
| eval Code=case(EventCode=="10034" AND match(Message,"InternalWriteEvent"),"Access Denied",
EventCode=="5749","Port Timeout",
EventCode=="5778","Failed to Process",
EventCode=="10033","Unexpected Message")
| top Code
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jkat54
SplunkTrust
08-27-2014
03:25 PM
Just solved, thanks to your example.
I changed my search to this:
index="test" host="*P*" "Type=Error" | eval Code = if(EventCode="10034" AND match(Message,"InternalWriteEvent"),"Access Denied",if(EventCode="5749","Port Timeout",if(EventCode="5778","Failed to Process",if(EventCode="10033","Unexpected Message","Other")))) | top Code
The example you gave wouldnt return "Other"s but did everything else correctly. The match(Message,"InternalWriteEvent") was key!
Thanks!
Get Updates on the Splunk Community!
Enterprise Security Content Update (ESCU) | New Releases
In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
(This is the first of a series of 2 blogs).
Splunk Enterprise Security is a fantastic tool that offers robust ...
Index This | What are the 12 Days of Splunk-mas?
December 2024 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with another ...
