Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Status Field Showing Both the values in same field?

karthi2809
Builder
‎05-09-2024 09:37 AM

Hi All,

This the query which i try to get status.But in the table its shows both error and success.PFA screenshot

| eval Status=case(priority="ERROR" AND tracePoint="EXCEPTION" OR message="*Error while processing*","ERROR", priority="WARN","WARN",priority!="ERROR" AND tracePoint!="EXCEPTION" OR message!="*(ERROR):*","SUCCESS") |stats values(Status) as Status by transactionId
Labels (2)
Labels
Preview file
11 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-10-2024 01:06 AM 
| eval Status=case(priority="ERROR" AND tracePoint="EXCEPTION" OR message="*Error while processing*","ERROR", priority="WARN","WARN",priority!="ERROR" AND tracePoint!="EXCEPTION" OR message!="*(ERROR):*","SUCCESS") |stats values(Status) as Status by transactionId
| eval Status=mvindex(Status, 0)

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-09-2024 09:59 AM

This is because the transaction ids have events with both sorts of status. If you just want the latest, you could try something like this

|stats latest(Status) as Status by transactionId
0 Karma
Reply
Solved! Jump to solution

karthi2809
Builder
‎05-09-2024 10:12 AM

If i use some of the transactionID is error but some of its showing as Success.If the priority=error and exception="error" but the status is SUCCESS.I dont know y.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-09-2024 10:17 AM

Please provide some anonymised representative events which demonstrate the issue you are facing, what results you are getting, and your expected results.

0 Karma
Reply
Solved! Jump to solution

karthi2809
Builder
‎05-09-2024 10:28 AM

Based on priority field and tracepoint field i am getting the status field.If priority is error and tracepoint as exception then i set status as per the keyword.But in some case its showing both ERROR and SUCCESS.

Messageprioritytracepoint
After Common SFTP Get File List ResponseINFOAFTER_REQUEST 
After Common SFTP Get File List ResponseINFOAFTER_REQUEST
Before Common SFTP Get File Data RequestINFOBEFORE_REQUEST
Before Common SFTP Get File List RequestINFOBEFORE_REQUEST
Before Common SFTP Archive File RequestINFOBEFORE_REQUEST
File Upload Request for BEFORE_REQUESTINFOBEFORE_REQUEST
File Upload to in SFTP mode. >>> ENDINFOEND
  END
File Upload Request for fERROREXCEPTION
Error while trying to upload file to GCP from Common SFTPERROREXCEPTION
DEV(ERROR): Error while processing System requestINFOBEFORE_REQUEST
0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-09-2024 03:01 PM

So if a transaction has both ERROR and not ERROR, what do you want it to show?

0 Karma
Reply
Solved! Jump to solution

karthi2809
Builder
‎05-09-2024 04:57 PM

If error and exception then it should be error rest of them are success.but using the below query to get status still.i got both suuccess and error for the some of the transactions ID 

| eval Status=case(priority="ERROR" AND tracePoint="EXCEPTION" OR message="*Error while processing*","ERROR", priority="WARN","WARN",priority!="ERROR" AND tracePoint!="EXCEPTION" OR message!="*(ERROR):*","SUCCESS") |stats values(Status) as Status by transactionId
 
 
0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-10-2024 01:06 AM 
| eval Status=case(priority="ERROR" AND tracePoint="EXCEPTION" OR message="*Error while processing*","ERROR", priority="WARN","WARN",priority!="ERROR" AND tracePoint!="EXCEPTION" OR message!="*(ERROR):*","SUCCESS") |stats values(Status) as Status by transactionId
| eval Status=mvindex(Status, 0)
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...