Sort and compare message_text - noob needs help

FinnHatlen · ‎10-08-2020

Hello, I have this new task that I'm not sure how to go about it. I'm new to splunk so any help is really appreciated.

I want to create a dashboard that monitors all power issues that's been logged, as well as a dashboard for all remaining issues based on the message text below:

host_name=Contoso* OR host_name=Kontoso* AND message_text="Power supply 1 has failed or been turned off"
OR message_text="Power supply 1 is okay" OR message_text="Power supply 2 has failed or been turned off" OR message_text="Power supply 2 is okay"
OR "Power-module 0/PS0/M1/SP failure condition cleared" OR "0/PS0/M1/SP, state: FAILED"

First off, the field "message_text" only captured four out of six messages, so these two were left out:
"Power-module 0/PS0/M1/SP failure condition cleared" OR "0/PS0/M1/SP, state: FAILED"

I tried to see if i could create a new or update message_text to include these two, but it looked like it just added it to a new field that I couldn't find when I used the same filter afterwards.

Is it here that I use the eval-function to compare and remove logs that has been cleared?

ashajambagi · ‎10-08-2020

Hi @FinnHatlen

If the other two values are added to some other field, you could write an eval and use coalesce function to include it in message_text.

https://docs.splunk.com/Documentation/Splunk/8.0.6/SearchReference/ConditionalFunctions#coalesce.28X...

Sort and compare message_text - noob needs help

introduction

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!