Splunk Search

Need help in merging the queries

Aj01
Path Finder

Hi,

i need to add two queries so that they could come in different fields in one visualization, one will be the error and one will be success transaction.

 

index=sso Appid="APP-49" PROD ("Util.validateAuth" AND "METHOD_ENTRY")   - ERROR

index=sso Appid="APP-49" PROD ("RestTorHandler : hleError :" OR "java.net.SocketException: Connection reset]" OR "Error in processor call." OR level="error" NOT "resubmit the request")      - SUCCESS

 

need to add both the queries and provide the count for error and count for success but while using this query, sum of the error transaction level!=error so the error count is not matching.

index=ss Appid="APP-49" PROD ("Util.validateAuth" AND "METHOD_ENTRY") OR index=sso ("RestTorHandler : hleError :" OR "java.net.SocketException: Connection reset]" OR "Error in processor call." OR level="error" NOT "resubmit the request") 
| rex field=_raw " (?<service_name>\w+)-prod"
| eval err_flag = if(environment="nonprod", 1,0)
| eval success_flag = if(level!="ERROR", 1,0)
| stats sum(err_flag) as total_errors, sum(success_flag) as total_successes by service_name

 

Please help it would be great.

 

Labels (5)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

index=sso Appid="APP-49" PROD ("Util.validateAuth" AND "METHOD_ENTRY") OR ("RestTorHandler : hleError :" OR "java.net.SocketException: Connection reset]" OR "Error in processor call." OR level="error" NOT "resubmit the request")
| rex field=_raw " (?<service_name>\w+)-prod"
| eval err_flag = if(searchmatch("Util.validateAuth" AND "METHOD_ENTRY"), 1,0)
| eval success_flag = if(searchmatch("RestTorHandler : hleError :" OR "java.net.SocketException: Connection reset]" OR "Error in processor call." OR level="error" NOT "resubmit the request"), 1,0)
| stats sum(err_flag) as total_errors, sum(success_flag) as total_successes by service_name

Aj01
Path Finder

It is not working as if doesn't take AND and NOT in if command.

getting error : Error in 'EvalCommand': The expression is malformed. Expected ).

0 Karma

PickleRick
SplunkTrust
SplunkTrust

No, it's about the unescaped quotes in the searchmatch() argument. If it needs embedded strings, the quotes for those strings should be escaped.

0 Karma
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...