Splunk Search

Stats Count Eval Error using OR

markthompson
Builder

Hi,
I'm creating a traffic light system and I have this part of my search string; 'stats count(eval("Error" OR "Attempt 3...unsuccessful.")) AS value'.

But splunk won't let me use the OR value inside the eval(), is there any way round this as I need it to count the amount of times that it says "Error" or "Attempt 3..unsuccessful."

Thanks in advance.

sideview
SplunkTrust
SplunkTrust

I would break this apart into a more explicit eval clause that creates a temporary field value, and then a simpler stats clause that operates on that field value. that way you have hte full breadth of the eval command rather than the (I think) more limited syntax supported in stats/chart/timechart

| eval type=if(searchmatch("Error") OR searchmatch("Attempt 3...unsuccessful."),"succeeded","failed") | stats count by type`

or for a different approach

| eval isFailure=if(searchmatch("Error") OR searchmatch("Attempt 3...unsuccessful."),1,0) | stats sum(isFailure) as failures`
0 Karma

markthompson
Builder

Still experiencing problems even in 6.1.4, with it only display N/A. I will put the whole search query in; transaction startswith="Targeting file BP_Comp_Summ_Pos*" endswith="Server returned an error: No such file or folder" OR "The file was downloaded successfully." | search "Error" OR "Attempt 3...unsuccessful." | eval interval=relative_time(_time,"@d") | eval isFailure=if(searchmatch("Error") OR searchmatch("Attempt 3...unsuccessful."),1,0) | stats sum(isFailure) as failures | rangemap field=isFailure low=0-0 elevated=1-2 severe=3-15 default=520

0 Karma

wpreston
Motivator

From this search, it looks like the problem is that in the rangemap you are trying to map on the isFailure field, but it no longer exists in your search results because it was renamed to failures in your stats command. Try changing the rangemap field to failures and see if that works:

transaction startswith="Targeting file BP_Comp_Summ_Pos*" endswith="Server returned an error: No such file or folder" OR "The file was downloaded successfully." 
| search "Error" OR "Attempt 3...unsuccessful." 
| eval interval=relative_time(_time,"@d") 
| eval isFailure=if(searchmatch("Error") OR searchmatch("Attempt 3...unsuccessful."),1,0) 
| stats sum(isFailure) as failures 
| rangemap field=failures low=0-0 elevated=1-2 severe=3-15 default=520

markthompson
Builder

Hi, I'm still getting the same error when it says N/A. here's code;

| transaction startswith="Targeting file BP_Comp_Summ_Pos*" endswith="Server returned an error: No such file or folder" OR "The file was downloaded successfully." | search "Error" OR "Attempt 3...unsuccessful."  | eval interval=relative_time(_time,"@d") | eval isFailure=if(searchmatch("Error") OR searchmatch("Attempt 3...unsuccessful."),1,0) | stats sum(isFailure) as failures | rangemap field=failures low=0-0 elevated=1-2 severe=3-15 default=520
0 Karma

wpreston
Motivator

Very strange. When I run your search using my own fields/data, it returns everything as expected... Can you post the xml for this panel from your dashboard? I'm specifically interested in the traffic light definition.

0 Karma

markthompson
Builder

The problem appears to be something to do with the count as it seems to default back to the default value (520 in this case). So i don't think the rangemap is picking up any counts of errors. Any ideas?

0 Karma

markthompson
Builder

And the XML:

<panel>
      <single>
        <title>FullUBS-Pos</title>
        <searchString>index=project_omega host=PersistUBS | transaction startswith="Targeting file BP_Comp_Summ_Pos*" endswith="Server returned an error: No such file or folder" OR "The file was downloaded successfully." | search "Error" OR "Attempt 3...unsuccessful."  | eval interval=relative_time(_time,"@d") | eval isFailure=if(searchmatch("Error") OR searchmatch("Attempt 3...unsuccessful."),1,0) | stats sum(isFailure) as failures | rangemap field=failures low=0-0 elevated=1-2 severe=3-15 default=520</searchString>
        <earliestTime>@d</earliestTime>
        <latestTime>now</latestTime>
        <option name="classField">range</option>
        <option name="field">value</option>
        <option name="additionalClass">icon-only</option>
        <option name="linkView">search</option>
        <option name="drilldown">none</option>
      </single>
    </panel>

It's working on other files, that don't use the OR

0 Karma

markthompson
Builder

Won't let me upload the code, will have to do it in 2 parts
Hi,
The CSS:

.single-value:before {
    font-family: "Splunk Icons";
    font-style: normal;
    font-weight: normal;
    text-decoration: inherit;
    font-size: 48px;
}
.severe.single-value:before {
    content: "\2297";
    color: #ff1f24;
}
.high.single-value:before {
    content: "\ECD4";
    color: #ff7e00;
}
.elevated.single-value:before {
    content: "\26A0";
    color: #ffb800;
}
.low.single-value:before {
    content: "\ECD3";
    color: #00b932;
}
.guarded.single-value:before {
    content: "\0049";
    color: #4da6df;
}
.icon-only.single-value:before {
    font-size: 65px;
}
.icon-only .single-result {
    display: none;
}
0 Karma

markthompson
Builder

Hi,
Tried this but it now displays "N/A" instead of the traffic light that the rest of them show, here's the string:
eval isFailure=if(searchmatch("Error") OR searchmatch("Attempt 3...unsuccessful."),1,0) | stats sum(isFailure) as failures | rangemap field=failures low=0-0 elevated=1-2 severe=3-15 default=520

Any further ideas?

0 Karma

sideview
SplunkTrust
SplunkTrust

Oddly, it sounds just like a longstanding bug in Splunk's SingleValue module, ie in the "advanced XML", (or a single element in the 5.x simple xml, which amounts to the same thing). That bug makes the element always display N/A if the main search results return no result rows, even if after being postprocessed, they return some rows. If that fits here, you might try replacing it with the sideview xml equivalents, which are either Link + Redirector, or the HTML module.

Otherwise is postprocess involved here at all? If so, I would double check that the base search syntax plus the postprocess syntax, doesn't throw an error when combined manually into a single search run in the default search UI.

0 Karma

markthompson
Builder

I don't think this fits, I have multiple other searches that all use roughly the same string, with some minor changes to the host etc, but thats just to select which logs to read from. the only thing thats different in this one is the OR statement, which I'm using the second one that you answered. Thanks

0 Karma

sideview
SplunkTrust
SplunkTrust

OK. What is the kind of dashboard here? simple XML in 6.X? sideview xml? core advanced xml? simple xml in 5.X? Is postprocess involved at all?

0 Karma

markthompson
Builder

Simple XML in 6.0.5, and i've also tried in 6.1.4.

0 Karma

mvaradarajam
Path Finder

Hi,
use count(eval(searchmatch("Error OR Attempt 3...unsuccessful"))) as count

0 Karma

markthompson
Builder

Hi,
I've tried this stats count(eval(searchmatch("error OR Attempt 3...unsuccessful"))) AS value

it now detects them in events, but in the statistics bit it counts 0, despite showing over 100 counts of the error message. Any suggestions?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...