I'm creating a traffic light system and I have this part of my search string; 'stats count(eval("Error" OR "Attempt 3...unsuccessful.")) AS value'.
But splunk won't let me use the OR value inside the eval(), is there any way round this as I need it to count the amount of times that it says "Error" or "Attempt 3..unsuccessful."
Thanks in advance.
I've tried this stats count(eval(searchmatch("error OR Attempt 3...unsuccessful"))) AS value
it now detects them in events, but in the statistics bit it counts 0, despite showing over 100 counts of the error message. Any suggestions?
I would break this apart into a more explicit eval clause that creates a temporary field value, and then a simpler stats clause that operates on that field value. that way you have hte full breadth of the eval command rather than the (I think) more limited syntax supported in stats/chart/timechart
| eval type=if(searchmatch("Error") OR searchmatch("Attempt 3...unsuccessful."),"succeeded","failed") | stats count by type`
or for a different approach
| eval isFailure=if(searchmatch("Error") OR searchmatch("Attempt 3...unsuccessful."),1,0) | stats sum(isFailure) as failures`
Tried this but it now displays "N/A" instead of the traffic light that the rest of them show, here's the string:
eval isFailure=if(searchmatch("Error") OR searchmatch("Attempt 3...unsuccessful."),1,0) | stats sum(isFailure) as failures | rangemap field=failures low=0-0 elevated=1-2 severe=3-15 default=520
Any further ideas?
Oddly, it sounds just like a longstanding bug in Splunk's SingleValue module, ie in the "advanced XML", (or a
single element in the 5.x simple xml, which amounts to the same thing). That bug makes the element always display N/A if the main search results return no result rows, even if after being postprocessed, they return some rows. If that fits here, you might try replacing it with the sideview xml equivalents, which are either Link + Redirector, or the HTML module.
Otherwise is postprocess involved here at all? If so, I would double check that the base search syntax plus the postprocess syntax, doesn't throw an error when combined manually into a single search run in the default search UI.
I don't think this fits, I have multiple other searches that all use roughly the same string, with some minor changes to the host etc, but thats just to select which logs to read from. the only thing thats different in this one is the OR statement, which I'm using the second one that you answered. Thanks
Still experiencing problems even in 6.1.4, with it only display N/A. I will put the whole search query in;
transaction startswith="Targeting file BP_Comp_Summ_Pos*" endswith="Server returned an error: No such file or folder" OR "The file was downloaded successfully." | search "Error" OR "Attempt 3...unsuccessful." | eval interval=relative_time(_time,"@d") | eval isFailure=if(searchmatch("Error") OR searchmatch("Attempt 3...unsuccessful."),1,0) | stats sum(isFailure) as failures | rangemap field=isFailure low=0-0 elevated=1-2 severe=3-15 default=520