Splunk Search

Need alternative to nested if's + wildcard for time sensitive error reporting

daviduslan
Path Finder

Hello,

I have the following situation that I was hoping to use nested if's to solve. We have a series of errors that are only actionable if they appear over a period of time. Many of the errors share similar messages, so I was hoping to use wildcards to capture them all. Unfortunately, wildcards don't appear to work in if statements, so I was wondering if anyone with more experience (I'm a huge noob) could point me towards a better method that accomplishes the same goal. Here is my current query:

index=echelon sourcetype=echelon_error | eval error_type=if( message="Redis search failure*", "Search Failure", (if(message="PHP Fatal error:*", "PHP Fatal Errors", (if(message="sendsoaprequest failed*", "Soap Request Failed", (if(message="*Maximum execution time of 600 seconds exceeded*", "Max Execution Exceeded", (if(message="*Error creating performer_profile entry*", "Performer Profile Entry Error", (if(message="*exception='foo*", "MainController Failure", (if(program="/sync-staging.pl", "Staging Sync Error", ""))))))))))))) | Where error_type !="" | bucket _time span=1h | stats count AS program_count by program, error_type, _time | stats count AS program_occurred_in_x_different_hours, sum(program_count) AS error_occurrences_total by program, error_type | where program_occurred_in_x_different_hours > 1
Tags (3)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Perhaps a case statement would help.

eval error_type=case (message like "Redis search failure%", "Search Failure", message like "PHP Fatal error:%", "PHP Fatal Errors", message like "sendsoaprequest failed%", "Soap Request Failed", message "%Maximum execution time of 600 seconds exceeded%", "Max Execution Exceeded", message like "%Error creating performer_profile entry%", "Performer Profile Entry Error", message like "%exception='foo%", "MainController Failure", program="/sync-staging.pl", "Staging Sync Error") | Where error_type NOT NULL | ...
---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Perhaps a case statement would help.

eval error_type=case (message like "Redis search failure%", "Search Failure", message like "PHP Fatal error:%", "PHP Fatal Errors", message like "sendsoaprequest failed%", "Soap Request Failed", message "%Maximum execution time of 600 seconds exceeded%", "Max Execution Exceeded", message like "%Error creating performer_profile entry%", "Performer Profile Entry Error", message like "%exception='foo%", "MainController Failure", program="/sync-staging.pl", "Staging Sync Error") | Where error_type NOT NULL | ...
---
If this reply helps you, Karma would be appreciated.

daviduslan
Path Finder

This would probably work too. The match statement did the trick as well. Thanks for the comment!

0 Karma

daviduslan
Path Finder

Found the solution, OK to ignore this. Used match within the if.

if( match(message, ".*PHP Fatal error:*."), "PHP Fatal Errors", (if
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...