Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Splunk query to retrieve logs containing empty que...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk query to retrieve logs containing empty query_string
super_edition
Path Finder
02-25-2024
12:49 AM
Hello team
Below are my splunk logs:
{
body_bytes_sent: 0
bytes_sent: 0
host: nice_host
http_content_type: -
http_referer: -
http_user_agent: -
kong_request_id: 8853b73ffef1c5522b4a383c286c825e
log_type: kong
query_string: -
remote_addr: 10.138.100.153
request_id: 93258e0bc529fa9844e0fd2d69168d0f
request_length: 1350
request_method: GET
request_time: 0.162
scheme: https
server_addr: 10.138.100.151
server_protocol: HTTP/1.1
status: 499
time_local: 25/Feb/2024:05:11:24 +0000
upstream_addr: 10.138.103.157:8080
upstream_host: nice_host
upstream_response_time: 0.000
uri: /v1/d5a413b6-7d00-4874-b706-17b15b7a140b
}
{
body_bytes_sent: 0
bytes_sent: 0
host: nice_host
http_content_type: -
http_referer: -
http_user_agent: -
kong_request_id: 89cea871feba9f2d5216856f7a884223
log_type: kong
query_string: productType=ALL
remote_addr: 10.138.100.214
request_id: 9dbf69defb49a3595cf1040e6ab5d4f2
request_length: 1366
request_method: GET
request_time: 0.167
scheme: https
server_addr: 10.138.100.151
server_protocol: HTTP/1.1
status: 499
time_local: 25/Feb/2024:05:11:24 +0000
upstream_addr: 10.138.98.140:8080
upstream_host: nice_host
upstream_response_time: 0.000
uri: /v1/a8b7570f-d0af-4d0d-bd6d-f6cf31892267
}
From the above, I want to extract the request_time and upstream_response_time from the log event for the uri "/v1/*" which has query_string is empty(-)
I tried the below search query, but it returns result containing query_string as empty and with values(productType=ALL)
index="my_indexx"
| spath host | search host="nice_host"
| eval Operations=case(
searchmatch("GET query_string: - /v1/*"),"getCart")
| stats avg(request_time) as avg_request_time avg(upstream_response_time) as avg_upstreamTime perc90(request_time) as 90_request_time perc90(upstream_response_time) as 90_upstreamResponseTime by Operations
| eval avg_request_time=round(avg_request_time,2)
| eval avg_upstreamTime=round(avg_upstreamTime,2)
index="ek_cloud_k8sdta_digital_platforms_kong"
| spath host | search host="shopping-carts-service-oxygen-dev.apps.stg01.digitalplatforms.aws.emirates.dev"
| eval Operations=case(
match(_raw, "/v1/[^/ ?]"),"getCart")
| stats avg(request_time) as avg_request_time avg(upstream_response_time) as avg_upstreamTime perc90(request_time) as 90_request_time perc90(upstream_response_time) as 90_upstreamResponseTime by Operations
| eval avg_request_time=round(avg_request_time,2)
| eval avg_upstreamTime=round(avg_upstreamTime,2)
Can someone help on this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tscroggins
Influencer
02-25-2024
09:13 AM
Hi,
Can you provide a sample of the raw data? It's probably JSON assuming what you've posted is from Splunk's "List" view. The spath command in your search also expects _raw (by default) to be JSON. If that's the case, the fields aren't empty. They have a literal hyphen as their value. For example:
{"body_bytes_sent": "0", "bytes_sent": "0", "host": "nice_host", "http_content_type": "-", "http_referer": "-", "http_user_agent": "-", "kong_request_id": "8853b73ffef1c5522b4a383c286c825e", "log_type": "kong", "query_string": "-", "remote_addr": "10.138.100.153", "request_id": "93258e0bc529fa9844e0fd2d69168d0f", "request_length": "1350", "request_method": "GET", "request_time": "0.162", "scheme": "https", "server_addr": "10.138.100.151", "server_protocol": "HTTP/1.1", "status": "499", "time_local": "25/Feb/2024:05:11:24 +0000", "upstream_addr": "10.138.103.157:8080", "upstream_host": "nice_host", "upstream_response_time": "0.000", "uri": "/v1/d5a413b6-7d00-4874-b706-17b15b7a140b"}
{"body_bytes_sent": "0", "bytes_sent": "0", "host": "nice_host", "http_content_type": "-", "http_referer": "-", "http_user_agent": "-", "kong_request_id": "89cea871feba9f2d5216856f7a884223", "log_type": "kong", "query_string": "productType=ALL", "remote_addr": "10.138.100.214", "request_id": "9dbf69defb49a3595cf1040e6ab5d4f2", "request_length": "1366", "request_method": "GET", "request_time": "0.167", "scheme": "https", "server_addr": "10.138.100.151", "server_protocol": "HTTP/1.1", "status": "499", "time_local": "25/Feb/2024:05:11:24 +0000", "upstream_addr": "10.138.98.140:8080", "upstream_host": "nice_host", "upstream_response_time": "0.000", "uri": "/v1/a8b7570f-d0af-4d0d-bd6d-f6cf31892267"}You can search for the literal value directly:
query_string=-or
query_string="-"There is a caveat: the hyphen is a minor breaker and isn't indexed by Splunk as a term. All events will be returned initially, the query_string field will be extracted, and its value will be scanned for a hyphen to filter results.
If your JSON fields aren't auto-extracted, we can investigate your inputs.conf and props.conf settings.
Get Updates on the Splunk Community!
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
Brains, Bytes, and Boston: Learn from the Best at .conf25
When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
