×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
alex5441
Explorer
Member since: ‎03-30-2021
‎04-05-2021
Community Statistics
Posts 5
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎03-30-2021
Activity Feed
View All

Re: How to Use IF or Case condition

by in Splunk Search
‎04-05-2021 12:03 PM
‎04-05-2021 12:03 PM
Thank you ITWhisperer, But I am getting error in compile:   ... View more

How to Use IF or Case condition

by in Splunk Search
‎04-05-2021 10:31 AM
‎04-05-2021 10:31 AM
Hi, My logs are in following format: {[-] logger: ....... message: .......... severity: Error } {[-] exception: ......... logger: ....... message: .......... severity: Error } my query is : ........| rex "\"exception\":\"(<ErrorMsg>.*?)\"" | table Application, ErrorMsg   The issue: As some app logs have key "message" and some logs have both "exception" and "message". How can I change my query that first it checks if there is key exception, if it does get the value of that key. If there is no Key exception check if there is key "message", if it does get the value of that. My current query is able to get the value of exception (if I change exception to message, it gets the value of message. But trying to implement IF or CASE condition here)  ... View more
Labels

Re: Extract first 3 lines of raw logs and group

by in Splunk Search
‎03-31-2021 03:38 PM
‎03-31-2021 03:38 PM
Hi manjunathmet, Nothing changed agian. However I think if I get everything extracted value of exception Key that would suffice my requirement.  {"Severity": "ERROR", "exception":"..................................", "logger":"....................."} In above pattern I am able to extract with regex:   exception":"(.*?)" But I have to use it as rex in my SPL which needs escaping special chars which I am not sure about. ... View more

Re: Extract first 3 lines of raw logs and group

by in Splunk Search
‎03-31-2021 06:54 AM
‎03-31-2021 06:54 AM
Hi @manjunathmeti  Thanks for your reply  but Nothing changed on table. ... View more

Extract first 3 lines of raw logs and group

by in Splunk Search
‎03-30-2021 09:37 PM
‎03-30-2021 09:37 PM
Hi, My current query for splunk dashboard is as: ........| eval ErrorMsg=_raw | stats count by Application, ErrorMsg | sort -count | table count, Application, ErrorMsg My able looks like this: count Application ErrorMsg 5 abc {"severity" : "ERROR", "exception" : "xyz abc asd......."........"time" : "12:00:00"><there are mutiple key value pairs with data in multiple lines>........} 10 abc {"severity" : "ERROR", "exception" : "xyz abc asd......."........."time" : "12:01:00"<there are mutiple key value pairs with data in multiple lines>........}   How can I get table like this: 15 abc "exception" : "xyz abc asd  ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎04-05-2021 07:20 PM
Karma given to
View All