Splunk Search
Highlighted

Searching a particular field and performing actions based on its presence and value

Explorer

My application logs will print each record with id. If the record has any error, it will display the Error field else it won't. I want to look for the error field in each record, if present I have to look for the values in Error field. If 'A', I have to increase the count for Error Code as 503 by 1, if 'B', I have to increase the count for Error Code as 504 by 1 and if Error field is not present in the record, I have to increase the count for response code of 200 by 1.

Highlighted

Re: Searching a particular field and performing actions based on its presence and value

Esteemed Legend

I don't get it. This kind of situation always benefits from sample event data and desired mockup of final output.

0 Karma
Highlighted

Re: Searching a particular field and performing actions based on its presence and value

Explorer

Examples of events:

Without error:
Timestamp: 2017-31-08 21:00:01 alpha-transform-id=random generated id, [Response] Service = alpha-transform, ResponseTime=200ms ....

With error:
Timestamp: 2017-31-08 21:00:03 alpha-transform-id=random generated id, [Error Response] Service = alpha-transform, ResponseTime=200ms, Error='A' ....

Kindly let me know if I just put Index and Namespace in search bar and got above two records as an example. How can I search for Error field and then evaluate based on its value to assign a right error code.

0 Karma
Highlighted

Re: Searching a particular field and performing actions based on its presence and value

Esteemed Legend

Do it like this (probably not, though, see other answer):

|makeresults
| eval raw="Timestamp: 2017-31-08 21:00:01 alpha-transform-id=random generated id, [Response] Service = alpha-transform, ResponseTime=200ms:::Timestamp: 2017-31-08 21:00:03 alpha-transform-id=random generated id, [Error Response] Service = alpha-transform, ResponseTime=200ms, Error='A'"
| makemv delim=":::" raw
| mvexpand raw
| rename raw AS _raw
| kv

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution."

| eval fieldToInc=case(Error="'A'", "503",
                       Error="'B'", "504",
                       true(),      "200")
| eval {fieldToInc}_T3mP = 1
| foreach *_T3mP [eval "<<MATCHSTR>>" = if(isnotnull($<<FIELD>>$), if(isnull($<<MATCHSTR>>$), 1, $<<MATCHSTR>>$ + 1), null()) ]
| fields - fieldToInc *_T3mP
0 Karma
Highlighted

Re: Searching a particular field and performing actions based on its presence and value

Esteemed Legend

Actually, I think that I took you too literally in the other answer. I think that what you are really needing is aggregation counts like this:

 |makeresults | eval raw="Timestamp: 2017-31-08 21:00:01 alpha-transform-id=random generated id, [Response] Service = alpha-transform, ResponseTime=200ms:::Timestamp: 2017-31-08 21:00:03 alpha-transform-id=random generated id, [Error Response] Service = alpha-transform, ResponseTime=200ms, Error='A'"
 | makemv delim=":::" raw
 | mvexpand raw
 | rename raw AS _raw
 | kv

 | rename COMMENT AS "Everything above generates sample event data; everything below is your solution."

 | eval returnCode=case(Error="'A'", "503",
                        Error="'B'", "504",
                        true(),      "200")
 | stats count by returnCode
0 Karma
Highlighted

Re: Searching a particular field and performing actions based on its presence and value

Explorer

My Initial search condition is =>
ndex=ltm1_idx ns=app1 Service='trigger1' Id!='temp-12' | Search ErrorResponse

This will result in the event where I will get the Id's other then temp-12 e.g. 100, 123, 124, etc. Now I need to search using that Id value e.g. Id=100 and get an ActNo field value.

e.g. Event => ndex=ltm1_idx ns=app1 Service='trigger1' Id='100' ActNo=A123.

Now get this Account No field and check for its value either A123 or Not A123. If A123, add a counter to field1 and if not A123, add a counter to field2. And displaying the values of field 1 and field 2 for all the events found in Initial search above over a period of time.

0 Karma
Highlighted

Re: Searching a particular field and performing actions based on its presence and value

Explorer

In order to search for the error records, I use :
ns=app1 Service='trigger1' Id!='temp-100' | Search ErrorResponse

Here I get an event like:
timestamp ns=app1 [ErrorResponse] Service='trigger1' id=105 ActNo=1234

Now I have to fetch this ActNo field and search with only ActNo=1234. It will list many events and in those I have to look for a field appId = 'New1'. If New1, I have to add it to a counter1 else counter2.

Thank you!

0 Karma
Highlighted

Re: Searching a particular field and performing actions based on its presence and value

Esteemed Legend

I believe you started over in another Question on answers that is better formulated, right?

0 Karma
Highlighted

Re: Searching a particular field and performing actions based on its presence and value

Explorer

Yes. And apologies for changing the contents as I was also not sure on the pattern of events I was getting. Thank you!

0 Karma
Highlighted

Re: Searching a particular field and performing actions based on its presence and value

Esteemed Legend

No problem; it just means that this Q&A are dead. Nothing to see. Move along.

0 Karma