Splunk Search
Highlighted

Stats Count Eval Error using OR

Builder

Hi,
I'm creating a traffic light system and I have this part of my search string; 'stats count(eval("Error" OR "Attempt 3...unsuccessful.")) AS value'.

But splunk won't let me use the OR value inside the eval(), is there any way round this as I need it to count the amount of times that it says "Error" or "Attempt 3..unsuccessful."

Thanks in advance.

Highlighted

Re: Stats Count Eval Error using OR

Path Finder

Hi,
use count(eval(searchmatch("Error OR Attempt 3...unsuccessful"))) as count

0 Karma
Highlighted

Re: Stats Count Eval Error using OR

Builder

Hi,
I've tried this stats count(eval(searchmatch("error OR Attempt 3...unsuccessful"))) AS value

it now detects them in events, but in the statistics bit it counts 0, despite showing over 100 counts of the error message. Any suggestions?

0 Karma
Highlighted

Re: Stats Count Eval Error using OR

SplunkTrust
SplunkTrust

I would break this apart into a more explicit eval clause that creates a temporary field value, and then a simpler stats clause that operates on that field value. that way you have hte full breadth of the eval command rather than the (I think) more limited syntax supported in stats/chart/timechart

| eval type=if(searchmatch("Error") OR searchmatch("Attempt 3...unsuccessful."),"succeeded","failed") | stats count by type`

or for a different approach

| eval isFailure=if(searchmatch("Error") OR searchmatch("Attempt 3...unsuccessful."),1,0) | stats sum(isFailure) as failures`
0 Karma
Highlighted

Re: Stats Count Eval Error using OR

Builder

Hi,
Tried this but it now displays "N/A" instead of the traffic light that the rest of them show, here's the string:
eval isFailure=if(searchmatch("Error") OR searchmatch("Attempt 3...unsuccessful."),1,0) | stats sum(isFailure) as failures | rangemap field=failures low=0-0 elevated=1-2 severe=3-15 default=520

Any further ideas?

0 Karma
Highlighted

Re: Stats Count Eval Error using OR

SplunkTrust
SplunkTrust

Oddly, it sounds just like a longstanding bug in Splunk's SingleValue module, ie in the "advanced XML", (or a single element in the 5.x simple xml, which amounts to the same thing). That bug makes the element always display N/A if the main search results return no result rows, even if after being postprocessed, they return some rows. If that fits here, you might try replacing it with the sideview xml equivalents, which are either Link + Redirector, or the HTML module.

Otherwise is postprocess involved here at all? If so, I would double check that the base search syntax plus the postprocess syntax, doesn't throw an error when combined manually into a single search run in the default search UI.

0 Karma
Highlighted

Re: Stats Count Eval Error using OR

Builder

I don't think this fits, I have multiple other searches that all use roughly the same string, with some minor changes to the host etc, but thats just to select which logs to read from. the only thing thats different in this one is the OR statement, which I'm using the second one that you answered. Thanks

0 Karma
Highlighted

Re: Stats Count Eval Error using OR

SplunkTrust
SplunkTrust

OK. What is the kind of dashboard here? simple XML in 6.X? sideview xml? core advanced xml? simple xml in 5.X? Is postprocess involved at all?

0 Karma
Highlighted

Re: Stats Count Eval Error using OR

Builder

Simple XML in 6.0.5, and i've also tried in 6.1.4.

0 Karma
Highlighted

Re: Stats Count Eval Error using OR

Builder

Still experiencing problems even in 6.1.4, with it only display N/A. I will put the whole search query in; transaction startswith="Targeting file BP_Comp_Summ_Pos*" endswith="Server returned an error: No such file or folder" OR "The file was downloaded successfully." | search "Error" OR "Attempt 3...unsuccessful." | eval interval=relative_time(_time,"@d") | eval isFailure=if(searchmatch("Error") OR searchmatch("Attempt 3...unsuccessful."),1,0) | stats sum(isFailure) as failures | rangemap field=isFailure low=0-0 elevated=1-2 severe=3-15 default=520

0 Karma