Splunk Search

Status Field Showing Both the values in same field?

karthi2809
Builder

Hi All,

This the query which i try to get status.But in the table its shows both error and success.PFA screenshot

| eval Status=case(priority="ERROR" AND tracePoint="EXCEPTION" OR message="*Error while processing*","ERROR", priority="WARN","WARN",priority!="ERROR" AND tracePoint!="EXCEPTION" OR message!="*(ERROR):*","SUCCESS") |stats values(Status) as Status by transactionId
Labels (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| eval Status=case(priority="ERROR" AND tracePoint="EXCEPTION" OR message="*Error while processing*","ERROR", priority="WARN","WARN",priority!="ERROR" AND tracePoint!="EXCEPTION" OR message!="*(ERROR):*","SUCCESS") |stats values(Status) as Status by transactionId
| eval Status=mvindex(Status, 0)

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

This is because the transaction ids have events with both sorts of status. If you just want the latest, you could try something like this

|stats latest(Status) as Status by transactionId
0 Karma

karthi2809
Builder

If i use some of the transactionID is error but some of its showing as Success.If the priority=error and exception="error" but the status is SUCCESS.I dont know y.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Please provide some anonymised representative events which demonstrate the issue you are facing, what results you are getting, and your expected results.

0 Karma

karthi2809
Builder

Based on priority field and tracepoint field i am getting the status field.If priority is error and tracepoint as exception then i set status as per the keyword.But in some case its showing both ERROR and SUCCESS.

Messageprioritytracepoint
After Common SFTP Get File List ResponseINFOAFTER_REQUEST 
After Common SFTP Get File List ResponseINFOAFTER_REQUEST
Before Common SFTP Get File Data RequestINFOBEFORE_REQUEST
Before Common SFTP Get File List RequestINFOBEFORE_REQUEST
Before Common SFTP Archive File RequestINFOBEFORE_REQUEST
File Upload Request for BEFORE_REQUESTINFOBEFORE_REQUEST
File Upload to in SFTP mode. >>> ENDINFOEND
  END
File Upload Request for fERROREXCEPTION
Error while trying to upload file to GCP from Common SFTPERROREXCEPTION
DEV(ERROR): Error while processing System requestINFOBEFORE_REQUEST
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

So if a transaction has both ERROR and not ERROR, what do you want it to show?

0 Karma

karthi2809
Builder

If error and exception then it should be error rest of them are success.but using the below query to get status still.i got both suuccess and error for the some of the transactions ID 

| eval Status=case(priority="ERROR" AND tracePoint="EXCEPTION" OR message="*Error while processing*","ERROR", priority="WARN","WARN",priority!="ERROR" AND tracePoint!="EXCEPTION" OR message!="*(ERROR):*","SUCCESS") |stats values(Status) as Status by transactionId
 
 
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| eval Status=case(priority="ERROR" AND tracePoint="EXCEPTION" OR message="*Error while processing*","ERROR", priority="WARN","WARN",priority!="ERROR" AND tracePoint!="EXCEPTION" OR message!="*(ERROR):*","SUCCESS") |stats values(Status) as Status by transactionId
| eval Status=mvindex(Status, 0)
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...