Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Search Error labels and level=Error both in sa...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Search strings and conditions together
Splunk is too powerful. But i wish the search criteria language would have been more generic something like sql 🙂
I have 3 buckets for error, warning and info for each source type.
Need help from experts
1) to add condition in error bucket like this.
level="ERROR" or log contains any of these ("Failed","Exception","Fatal")
2) also in dashboard line chart if i clicked on the error line, it should actually take me those error logs. Is it possible ?
<dashboard>
<label>application Name</label>
<description>Spark application logs</description>
<row>
<panel>
<title>logs</title>
<chart>
<title>Streaming Error Count</title>
<search>
<query>index=myindex sourcetype=mysourceType1 |
timechart count as total_logs count(eval(level="INFO")) as total_info count(eval(level="WARN")) as total_warn count(eval(level="ERROR")) as total_error span=1h</query>
<earliest>-7d@h</earliest>
<latest>now</latest>
</search>
<option name="charting.chart">line</option>
<option name="charting.chart.showDataLabels">minmax</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
</chart>
</panel>
</row>
</dashboard>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It gives following error.
Error in 'timechart' command: The eval expression for dynamic field 'level="ERROR" OR ("Failed" OR "Exception" OR "Fatal") ' is invalid. Error='Type checking failed. 'OR' only takes boolean arguments.'.
<query>index=myindex sourcetype=mySourceTYpe |
timechart count as total_logs count(eval(level="INFO")) as total_info count(eval(level="WARN")) as total_warn count(eval(level="ERROR" OR ("Failed" OR "Exception" OR "Fatal") ) ) as total_error span=1h</query>
<earliest>-7d@h</earliest>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think I understand why that failed. Try this alternative.
index=myindex sourcetype=mySourceTYpe
| eval error = if(level="ERROR" OR searchmatch("Failed") OR searchmatch("Exception") OR searchmatch("Fatal"), 1, 0)
| timechart count as total_logs count(eval(level="INFO")) as total_info count(eval(level="WARN")) as total_warn sum(error) as total_error span=1hIf this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you seen the Splunk SPL for SQL Users manual? https://docs.splunk.com/Documentation/Splunk/8.1.0/SearchReference/SQLtoSplunk
1) Without knowing the context, you can try
level="ERROR" OR ("Failed" OR "Exception" OR "Fatal")2) The easiest way to do that is via the UI. Edit the dashboard and click on the hamburger (triple-dot) icon in the panel Select "Edit Drilldown". Choose "Link to search" from the dropdown then select Custom. Enter the search you want to run. Use tokens to employ fields from the dashboard.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The OR condition is not working. will appreciate any help.
Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern
A Prelude to .conf25: Your Guide to Splunk University
4 Ways the Splunk Community Helps You Prepare for .conf25
