Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Need alternative to nested if's + wildcard for tim...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
daviduslan
Path Finder
03-18-2014
10:41 AM
Hello,
I have the following situation that I was hoping to use nested if's to solve. We have a series of errors that are only actionable if they appear over a period of time. Many of the errors share similar messages, so I was hoping to use wildcards to capture them all. Unfortunately, wildcards don't appear to work in if statements, so I was wondering if anyone with more experience (I'm a huge noob) could point me towards a better method that accomplishes the same goal. Here is my current query:
index=echelon sourcetype=echelon_error | eval error_type=if( message="Redis search failure*", "Search Failure", (if(message="PHP Fatal error:*", "PHP Fatal Errors", (if(message="sendsoaprequest failed*", "Soap Request Failed", (if(message="*Maximum execution time of 600 seconds exceeded*", "Max Execution Exceeded", (if(message="*Error creating performer_profile entry*", "Performer Profile Entry Error", (if(message="*exception='foo*", "MainController Failure", (if(program="/sync-staging.pl", "Staging Sync Error", ""))))))))))))) | Where error_type !="" | bucket _time span=1h | stats count AS program_count by program, error_type, _time | stats count AS program_occurred_in_x_different_hours, sum(program_count) AS error_occurrences_total by program, error_type | where program_occurred_in_x_different_hours > 1
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
03-18-2014
11:15 AM
Perhaps a case statement would help.
eval error_type=case (message like "Redis search failure%", "Search Failure", message like "PHP Fatal error:%", "PHP Fatal Errors", message like "sendsoaprequest failed%", "Soap Request Failed", message "%Maximum execution time of 600 seconds exceeded%", "Max Execution Exceeded", message like "%Error creating performer_profile entry%", "Performer Profile Entry Error", message like "%exception='foo%", "MainController Failure", program="/sync-staging.pl", "Staging Sync Error") | Where error_type NOT NULL | ...
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
03-18-2014
11:15 AM
Perhaps a case statement would help.
eval error_type=case (message like "Redis search failure%", "Search Failure", message like "PHP Fatal error:%", "PHP Fatal Errors", message like "sendsoaprequest failed%", "Soap Request Failed", message "%Maximum execution time of 600 seconds exceeded%", "Max Execution Exceeded", message like "%Error creating performer_profile entry%", "Performer Profile Entry Error", message like "%exception='foo%", "MainController Failure", program="/sync-staging.pl", "Staging Sync Error") | Where error_type NOT NULL | ...
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
daviduslan
Path Finder
03-18-2014
03:47 PM
This would probably work too. The match statement did the trick as well. Thanks for the comment!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
daviduslan
Path Finder
03-18-2014
11:08 AM
Found the solution, OK to ignore this. Used match within the if.
if( match(message, ".*PHP Fatal error:*."), "PHP Fatal Errors", (if
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!
Splunk Lantern’s Guide to The Most Popular .conf25 Sessions
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Unlock What’s Next: The Splunk Cloud Platform at .conf25
In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...
Index This | How many sevens are there between 1 and 100?
August 2025 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with this ...
