Splunk Search

Status Field Showing Both the values in same field?

karthi2809
Builder

Hi All,

This the query which i try to get status.But in the table its shows both error and success.PFA screenshot

| eval Status=case(priority="ERROR" AND tracePoint="EXCEPTION" OR message="*Error while processing*","ERROR", priority="WARN","WARN",priority!="ERROR" AND tracePoint!="EXCEPTION" OR message!="*(ERROR):*","SUCCESS") |stats values(Status) as Status by transactionId
Labels (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| eval Status=case(priority="ERROR" AND tracePoint="EXCEPTION" OR message="*Error while processing*","ERROR", priority="WARN","WARN",priority!="ERROR" AND tracePoint!="EXCEPTION" OR message!="*(ERROR):*","SUCCESS") |stats values(Status) as Status by transactionId
| eval Status=mvindex(Status, 0)

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

This is because the transaction ids have events with both sorts of status. If you just want the latest, you could try something like this

|stats latest(Status) as Status by transactionId
0 Karma

karthi2809
Builder

If i use some of the transactionID is error but some of its showing as Success.If the priority=error and exception="error" but the status is SUCCESS.I dont know y.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Please provide some anonymised representative events which demonstrate the issue you are facing, what results you are getting, and your expected results.

0 Karma

karthi2809
Builder

Based on priority field and tracepoint field i am getting the status field.If priority is error and tracepoint as exception then i set status as per the keyword.But in some case its showing both ERROR and SUCCESS.

Messageprioritytracepoint
After Common SFTP Get File List ResponseINFOAFTER_REQUEST 
After Common SFTP Get File List ResponseINFOAFTER_REQUEST
Before Common SFTP Get File Data RequestINFOBEFORE_REQUEST
Before Common SFTP Get File List RequestINFOBEFORE_REQUEST
Before Common SFTP Archive File RequestINFOBEFORE_REQUEST
File Upload Request for BEFORE_REQUESTINFOBEFORE_REQUEST
File Upload to in SFTP mode. >>> ENDINFOEND
  END
File Upload Request for fERROREXCEPTION
Error while trying to upload file to GCP from Common SFTPERROREXCEPTION
DEV(ERROR): Error while processing System requestINFOBEFORE_REQUEST
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

So if a transaction has both ERROR and not ERROR, what do you want it to show?

0 Karma

karthi2809
Builder

If error and exception then it should be error rest of them are success.but using the below query to get status still.i got both suuccess and error for the some of the transactions ID 

| eval Status=case(priority="ERROR" AND tracePoint="EXCEPTION" OR message="*Error while processing*","ERROR", priority="WARN","WARN",priority!="ERROR" AND tracePoint!="EXCEPTION" OR message!="*(ERROR):*","SUCCESS") |stats values(Status) as Status by transactionId
 
 
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| eval Status=case(priority="ERROR" AND tracePoint="EXCEPTION" OR message="*Error while processing*","ERROR", priority="WARN","WARN",priority!="ERROR" AND tracePoint!="EXCEPTION" OR message!="*(ERROR):*","SUCCESS") |stats values(Status) as Status by transactionId
| eval Status=mvindex(Status, 0)
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...