Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need alternative to nested if's + wildcard for time sensitive error reporting

daviduslan
Path Finder
‎03-18-2014 10:41 AM

Hello,

I have the following situation that I was hoping to use nested if's to solve. We have a series of errors that are only actionable if they appear over a period of time. Many of the errors share similar messages, so I was hoping to use wildcards to capture them all. Unfortunately, wildcards don't appear to work in if statements, so I was wondering if anyone with more experience (I'm a huge noob) could point me towards a better method that accomplishes the same goal. Here is my current query:

index=echelon sourcetype=echelon_error | eval error_type=if( message="Redis search failure*", "Search Failure", (if(message="PHP Fatal error:*", "PHP Fatal Errors", (if(message="sendsoaprequest failed*", "Soap Request Failed", (if(message="*Maximum execution time of 600 seconds exceeded*", "Max Execution Exceeded", (if(message="*Error creating performer_profile entry*", "Performer Profile Entry Error", (if(message="*exception='foo*", "MainController Failure", (if(program="/sync-staging.pl", "Staging Sync Error", ""))))))))))))) | Where error_type !="" | bucket _time span=1h | stats count AS program_count by program, error_type, _time | stats count AS program_occurred_in_x_different_hours, sum(program_count) AS error_occurrences_total by program, error_type | where program_occurred_in_x_different_hours > 1
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-18-2014 11:15 AM

Perhaps a case statement would help.

eval error_type=case (message like "Redis search failure%", "Search Failure", message like "PHP Fatal error:%", "PHP Fatal Errors", message like "sendsoaprequest failed%", "Soap Request Failed", message "%Maximum execution time of 600 seconds exceeded%", "Max Execution Exceeded", message like "%Error creating performer_profile entry%", "Performer Profile Entry Error", message like "%exception='foo%", "MainController Failure", program="/sync-staging.pl", "Staging Sync Error") | Where error_type NOT NULL | ...
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-18-2014 11:15 AM

Perhaps a case statement would help.

eval error_type=case (message like "Redis search failure%", "Search Failure", message like "PHP Fatal error:%", "PHP Fatal Errors", message like "sendsoaprequest failed%", "Soap Request Failed", message "%Maximum execution time of 600 seconds exceeded%", "Max Execution Exceeded", message like "%Error creating performer_profile entry%", "Performer Profile Entry Error", message like "%exception='foo%", "MainController Failure", program="/sync-staging.pl", "Staging Sync Error") | Where error_type NOT NULL | ...
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

daviduslan
Path Finder
‎03-18-2014 03:47 PM

This would probably work too. The match statement did the trick as well. Thanks for the comment!

0 Karma
Reply
Solved! Jump to solution

daviduslan
Path Finder
‎03-18-2014 11:08 AM

Found the solution, OK to ignore this. Used match within the if.

if( match(message, ".*PHP Fatal error:*."), "PHP Fatal Errors", (if
0 Karma
Reply
Get Updates on the Splunk Community!

Observability Unveiled: Navigating OpenTelemetry's Framework and Deployment Options

Observability Unveiled: Navigating OpenTelemetry's Framework and Deployment Options A recent Tech Talk, ...

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...