- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- streamstats and eval combination to find error
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
streamstats and eval combination to find error
Hi
I have created below dummy sample data-
|makeresults|eval a="1328,1345"
|append[|makeresults| eval state="added", add_field="1855"]
|append[|makeresults| eval state="added", add_field="1860"]
|append[|makeresults| eval a="1855,1328,1860,1345"]
|append[|makeresults| eval state="removed", remove_field="1855"]
|append[|makeresults| eval a="1855,1328,1860,1345"]
Now If you look at data whenever state is added it should add the number to previous `a` field and if it has not added then it should show error field as =1. similarly for state=removed, it should remove that number from previous a field and if not able to removed then it should show error field as =1.
In above case it has successfully added to a field but unsuccess in removing from field a hence last event should show error field as =1.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
At what stage should it check whether its added/removed ? Is it after each addition/removal
For e.g. in the below sample data, should it check after row 2 or only after row 3 ?
Also could there be successive added/removed status ?
e.g
row 1 : added
row2 : removed
row3: added
with the existing data and assumptions, try below
|makeresults|eval a="1328,1345"
|append[|makeresults| eval state="added", add_field="1855"]
|append[|makeresults| eval state="added", add_field="1860"]
|append[|makeresults| eval a="1855,1328,1860,1345"]
|append[|makeresults| eval state="removed", remove_field="1855"]
|append[|makeresults| eval a="1855,1328,1860,1345"]
|eval exists=if(isnull(a),0,1)
|reverse| filldown a |reverse|filldown state
|eval a_list=a|makemv a_list delim=","
|eval add_error=if(isnotnull(add_field) AND isnull(mvfind(a_list,add_field)),1,0)
|eval remove_error=if(isnotnull(remove_field) AND isnotnull(mvfind(a_list,remove_field)),1,0)
|eventstats dc(add_error) as add_error_count,dc(remove_error) as remove_error_count by a,state
|eval a=if(exists==1,a,null())
|eval error=if(add_error_count > 1 OR remove_error_count > 1,1,0)
|eval error=if(exists==1,error,null()),state=if(exists==1,state,null())
|fields - a_list,*_error*,exists
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for reply @renjith_nair
So whenever `a` field has value I need to check based on its all above addition/removal status except for first event.
Yes there can be successive added/removed status.
I need to confirm as per status of addition/removal does it gives correct results in field-`a` if not then highlight it as error.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you try the above and is it working?
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
