Solved: Display results only above a certain number

Snazter57 · ‎12-20-2013

Hi all,

I am having trouble displaying search results when I specify that the returned results must be greater than six in the specified time period.

I have looked at:

http://answers.splunk.com/answers/70433/display-results-only-above-certain-number

The query I have works until I use the stats command to perform counting. Its been a long day so it will most likely be something simple but I just can't see it yet, so here goes:

"Error during SSL Handshake" OR "Connection timed out" OR "Connection refused"
| rex "Connection (?<CONN_ERR>.+): proxy: HTTPS: attempt to connect to (?<IP_PORT>.+) \((?<URL_ID>.+)\).+" 
| rex "] proxy: (?<SSL_ERR>.+) with remote server returned by (?<APP_ID>.+)" 
| eval GEN_ERR=mvappend (CONN_ERR,"",SSL_ERR)
| eval URL_OR_APP=mvappend (URL_ID,"",APP_ID)
| fillnull value=N/A
| table host, GEN_ERR, IP_PORT, URL_OR_APP

This query returns a fully populated table with nine "timed out" errors and eleven "SSL" errors in my test time frame.

If I try to

stats count by host, GEN_ERR, IP_PORT, URL_OR_APP
| search count > 6
| table host, GEN_ERR, IP_PORT, URL_OR_APP

The table then becomes a little bit of a mess with what appears to be (from the count displayed) duplicates with blank fields and then also the fully populated returns on separate lines.

Where did I go wrong?

lguinn2 · ‎12-20-2013

I think you misunderstood the meaning of mvappend, which creates a multi-valued field. What I think you wanted was a single field that contains both values. See below:

"Error during SSL Handshake" OR "Connection timed out" OR "Connection refused"
| rex "Connection (?<CONN_ERR>.+): proxy: HTTPS: attempt to connect to (?<IP_PORT>.+) \((?<URL_ID>.+)\).+" 
| rex "] proxy: (?<SSL_ERR>.+) with remote server returned by (?<APP_ID>.+)" 
| fillnull value="N/A"
| eval GEN_ERR=CONN_ERR . " " . SSL_ERR
| eval URL_OR_APP=URL_ID . " " . APP_ID
| stats count by host, GEN_ERR, IP_PORT, URL_OR_APP
| search count > 6

(updated based on comments)

View solution in original post

lguinn2 · ‎12-20-2013

I think you misunderstood the meaning of mvappend, which creates a multi-valued field. What I think you wanted was a single field that contains both values. See below:

"Error during SSL Handshake" OR "Connection timed out" OR "Connection refused"
| rex "Connection (?<CONN_ERR>.+): proxy: HTTPS: attempt to connect to (?<IP_PORT>.+) \((?<URL_ID>.+)\).+" 
| rex "] proxy: (?<SSL_ERR>.+) with remote server returned by (?<APP_ID>.+)" 
| fillnull value="N/A"
| eval GEN_ERR=CONN_ERR . " " . SSL_ERR
| eval URL_OR_APP=URL_ID . " " . APP_ID
| stats count by host, GEN_ERR, IP_PORT, URL_OR_APP
| search count > 6

(updated based on comments)

Snazter57 · ‎12-23-2013

Thanks lguinn (and somesoni2) that has indeed helped. I had to remove the filenull value="N/A" and change to "" then use replace to populate blank IP_PORT values in a table i added to the end of the query.

lguinn2 · ‎12-20-2013

I updated my answer based on somesoni2's comment - and I also changed the eval commands to use explicit concatenation, which may also help

somesoni2 · ‎12-20-2013

Try moving fillnull before your eval commands...

Snazter57 · ‎12-20-2013

Hi lguinn, I had previously tried using that method but when the table populates I get the correct count in two records as expected but the GEN_ERR and URL_OR_APP are marked as N/A by the fillnull command. Omitting fillnull it returns 20 events but no table.

Display results only above a certain number

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!