×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
aniketsamudra
Engager
Member since: ‎02-14-2024
‎02-15-2024
Community Statistics
Posts 5
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎02-14-2024
Activity Feed
View All

Re: EVAL for ELSE IF condition

by in Splunk Search
‎02-15-2024 07:31 PM
‎02-15-2024 07:31 PM
Got it resolved.. corrected one bracket Thank You so much for the pointer on 'if' required everytime ... View more

Re: EVAL for ELSE IF condition

by in Splunk Search
‎02-15-2024 07:17 PM
‎02-15-2024 07:17 PM
Nope! Getting error as  Error in 'EvalCommand': The expression is malformed. Expected ).   ... View more

Re: EVAL for ELSE IF condition

by in Splunk Search
‎02-15-2024 02:41 AM
‎02-15-2024 02:41 AM
Having a similar issue, | eval Test= if( (like('thrown.extendedStackTrace',"%403%"),"403"),(like('thrown.extendedStackTrace',"%404%"),"404"),"###ERROR####") But getting error as --> Error in 'EvalCommand': The expression is malformed. Expected ).   ... View more

Re: Match or Substring for nested object not worki...

by in Splunk Search
‎02-15-2024 02:18 AM
‎02-15-2024 02:18 AM
Excellent, that worked.. Thank You !! ... View more

Match or Substring for nested object not working

by in Splunk Search
‎02-14-2024 11:01 PM
‎02-14-2024 11:01 PM
I am running query ->  index=* source="/somesource/*" message "403" | search level IN (ERROR) And Response is --> { "instant": { "epochSecond": 1707978481, "nanoOfSecond": 72000000 }, "thread": "main", "level": "ERROR", "message": "Error while creating user group", "thrown": { "commonElementCount": 0, "extendedStackTrace": "403 Forbidden:" }, "endOfBatch": false, "threadId": 1, "threadPriority": 5, "timestamp": "2024-02-15T06:28:01.072+0000" } Now, when i ran following query -> index=* source="/somesource/*" message "403" | search level IN (ERROR) | eval Test=substr(message,1,5) | eval Test1=substr(thrown.extendedStackTrace, 1, 3) | table Test, Test1 I am getting value for Test. Correct substring occuring (Output is Error). But for Test1, its empty string, where as I am expecting 403. As message is on root, its working, but the extendedStackTrace is under thrown, the thrown.extendedStackTrace is not rending the correct result. Although, if i do ...| table Test, Test1, thrown.extendedStackTrace There is a proper value coming in for thrown.extendedStackTrace What am i missing? ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎02-15-2024 11:12 PM
Karma given to
View All