Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Use EVAL and Case for Windows EventCodes to provide information in table output.

JDukeSplunk
Builder
‎08-04-2015 11:17 AM

Using this code I am able to generate a table for IIS Application Pool specific errors. With the eval-case providing a little info about the EventCode. 

(host=stwweb0* NOT host=stwweb0*I) sourcetype=WinEventLog:System SourceName="Microsoft-Windows-WAS"  NOT 5186 | rex field=Message "(?i) pool (?P<Pool>[^ ]+)" |eval EventNumber=case(EventCode=5009 ,"5009 Terminated Unexpectedly",EventCode=5011,"5011 Communication Error",EventCode=5012,"5012 exceeded time limits during start up",EventCode=5013,"5013, exceeded time limits during shut down" ,EventCode=5014,"5014, internal error in its process management",EventCode=5074,"5074, worker process reached its allowed processing time limit",EventCode=5079,"5079, An administrator has requested a recycle",EventCode=5076,"5076, scheduled recycle time",EventCode=5138,"5138, failed to stop a listener channel for protocol 'http' in the allotted time",EventCode=5080,"5080, Recycled due to system settings change",EventCode=5010,"5010 Ping Timeout") |stats count by EventCode Pool EventNumber|eval Pool=Pool."-".count | stats list(Pool) as "Pool Count" by EventCode EventNumber

This returns a happy little list.
The problem is if there is no specific eval-case statement for the EventCode it gets dropped from the table output. I am looking for a way to still return Pool and EventCode even if no EventNumber exists. OR, the lump all non-specified EventCodes into an "Other" category.

Any help is appreciated, Thanks in advance! JD

alt text

Tags (3)
capture2.png
Preview file
29 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-04-2015 12:02 PM

Just add a default value condition in the eval-case of yours, like this

(host=stwweb0* NOT host=stwweb0*I) sourcetype=WinEventLog:System SourceName="Microsoft-Windows-WAS"  NOT 5186 | rex field=Message "(?i) pool (?P<Pool>[^ ]+)" |eval EventNumber=case(EventCode=5009 ,"5009 Terminated Unexpectedly",EventCode=5011,"5011 Communication Error",EventCode=5012,"5012 exceeded time limits during start up",EventCode=5013,"5013, exceeded time limits during shut down" ,EventCode=5014,"5014, internal error in its process management",EventCode=5074,"5074, worker process reached its allowed processing time limit",EventCode=5079,"5079, An administrator has requested a recycle",EventCode=5076,"5076, scheduled recycle time",EventCode=5138,"5138, failed to stop a listener channel for protocol 'http' in the allotted time",EventCode=5080,"5080, Recycled due to system settings change",EventCode=5010,"5010 Ping Timeout",1=1,"Other") |stats count by EventCode Pool EventNumber|eval Pool=Pool."-".count | stats list(Pool) as "Pool Count" by EventCode EventNumber

View solution in original post

Reply
Solved! Jump to solution

JDukeSplunk
Builder
‎08-04-2015 01:54 PM

That got it 1=1,"Google It".

Pasting my cleaned up version of this in case someone else needs to monitor App Pools the way we do. 

 sourcetype=WinEventLog:System SourceName="Microsoft-Windows-WAS"  NOT 5186 NOT 5076 | rex field=Message "(?i) pool (?P<Pool>[^ ]+)"|eval Description=case(EventCode=5009 ,"Terminated Unexpectedly",EventCode=5011,"Communication Error",EventCode=5013,"Exceeded time during shut down" ,EventCode=5074,"Exceeded allowed processing time",EventCode=5079,"Administrator recycle",EventCode=5076,"Scheduled recycle time",EventCode=5080,"Pool settings changed",EventCode=5010,"Ping Timeout",1=1,"Google It..") |stats count by EventCode Description Pool
0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-04-2015 12:02 PM

Just add a default value condition in the eval-case of yours, like this

(host=stwweb0* NOT host=stwweb0*I) sourcetype=WinEventLog:System SourceName="Microsoft-Windows-WAS"  NOT 5186 | rex field=Message "(?i) pool (?P<Pool>[^ ]+)" |eval EventNumber=case(EventCode=5009 ,"5009 Terminated Unexpectedly",EventCode=5011,"5011 Communication Error",EventCode=5012,"5012 exceeded time limits during start up",EventCode=5013,"5013, exceeded time limits during shut down" ,EventCode=5014,"5014, internal error in its process management",EventCode=5074,"5074, worker process reached its allowed processing time limit",EventCode=5079,"5079, An administrator has requested a recycle",EventCode=5076,"5076, scheduled recycle time",EventCode=5138,"5138, failed to stop a listener channel for protocol 'http' in the allotted time",EventCode=5080,"5080, Recycled due to system settings change",EventCode=5010,"5010 Ping Timeout",1=1,"Other") |stats count by EventCode Pool EventNumber|eval Pool=Pool."-".count | stats list(Pool) as "Pool Count" by EventCode EventNumber
Reply
Get Updates on the Splunk Community!

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...
li.common.scroll-to.top