×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
kagarlickij
Explorer
Member since: ‎05-14-2024
‎06-28-2024
Community Statistics
Posts 9
Solutions 0
Karma Given 4
Karma Received 0
Member Since ‎05-14-2024
Activity Feed
View All

Re: Splunk search with wildcard in field name

by SplunkTrust in Splunk Search
‎05-19-2024 12:25 AM
‎05-19-2024 12:25 AM
 1. My task is to calculate number of events with "FAILED" value in "RESULT" key, it looks like this and it works (thanks to you guys!) - `index="myIndex" sourcetype ="mySourceType" | foreach "*DEV*" "UAT*" [| eval keep=if(isnotnull('<<FIELD>>'), 1, keep)] | where keep==1 | stats count(eval('RESULT'=="FAILED")) as FAILS | stats values(FAILS)` This gets even more confusing. 'number of events with "FAILED" value in "RESULT" key' implies that you already have a field (key) named "RESULT" that may have a value of "FAILED".  If this is correct, shouldn't your search begins with index="myIndex" sourcetype ="mySourceType" RESULT=FAILED? | stats count(eval('RESULT'=="FAILED")) as FAILS gives one single numeric value.  What is the purpose of cascading |statsvalues(FAILS) after this? | stats count(eval('RESULT'=="FAILED")) as FAILS | stats values(FAILS) gives the exact same single value. Most importantly still, as @PickleRick and I repeatedly point out, Splunk (and most programming languages) do not perform sophisticated calculations in name space, mostly because there is rarely need to do so.  When there is a serious need for manipulating variable name space, it is usually because the upstream programmer made poor design.  In Splunk's case, it is super flexible in handling data without preconceived field names.  As @bowesmana suggested, if you can demonstrate your raw data containing those special keys, it is probably much easier (and more performant) to simply use TERM() filter to limit raw events rather than trying to apply semantics in extracted field names. (TERM is case insensitive by default.)  If you find TERM() too limiting, you can also use Splunk's super flexible field extraction to extract environment groups "Prod" and "Dev" using regex.  This way, all you need to do is index="myIndex" sourcetype ="mySourceType" RESULT=FAILED environment=Dev | stats count You can even do something like index="myIndex" sourcetype ="mySourceType" RESULT=FAILED | stats count by environment Any of these alternatives is better in clarity and efficiency. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-28-2024 12:10 PM
Karma given to