Splunk Search

Splunk Search does now show expected results

hsh
New Member

Hi

I have a specific event massage that I'm trying to search for.

Now my ideal seach string looks like this:

index=bec_ci_prod deploy_status_type=info direction=exiting method=execute_package

Now this search string does not give me a result.

But if I remove the last token from the serach like this:

index=bec_ci_prod deploy_status_type=info direction=exiting

Then I get a result

I know the event data is their because I can search specifically for it.

The text that contain what im looking for looks like this:

12:13:49|INFO|internals.py|147| [deploy_status] deploy_status_type=info direction=exiting method=execute_package file=deploy_profile.py engine_type=was method_duration=562156

Any ideas of how to do a search that would show this ?

Kind Regards
Henrik

0 Karma
1 Solution

esix_splunk
Splunk Employee
Splunk Employee

Ok part of the issue is when you add terms in the form of a=b, Splunk is looking for Key Value Pairs. KV pairs have to be extracted. Try either extracting those Key Value Pairs, or running a literal search by enclosing the terms in quotes.

index=bec_ci_prod SWIFT-TEST-RMA-AskProfileDeploySwitch AND  ("deploy_status_type=info" AND "direction=exiting" AND  "method=execute_package")

View solution in original post

0 Karma

hsh
New Member

Hi Guys

Thanks for the Input, the result was that :

index=bec_ci_prod ("deploy_status_type=info" AND "direction=exiting" AND "method=execute_package")

Actually do work. It did return the expected result I just missed it the first run throw.

Thanks a lot for the assist

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

Ok part of the issue is when you add terms in the form of a=b, Splunk is looking for Key Value Pairs. KV pairs have to be extracted. Try either extracting those Key Value Pairs, or running a literal search by enclosing the terms in quotes.

index=bec_ci_prod SWIFT-TEST-RMA-AskProfileDeploySwitch AND  ("deploy_status_type=info" AND "direction=exiting" AND  "method=execute_package")
0 Karma

hsh
New Member

Hi I tried modifying the search string as you suggested.

However this search string:

index=bec_ci_prod SWIFT-TEST-RMA-AskProfileDeploySwitch AND ("deploy_status_type=info" AND "direction=exiting" AND "method=execute_package")

Is just to verify that the event I want in my list is actually their. The original search string also return the event:
index=bec_ci_prod SWIFT-TEST-RMA-AskProfileDeploySwitch deploy_status_type=info direction=exiting method=execute_package

The goal is to have a search string that looks like this:

index=bec_ci_prod ("deploy_status_type=info" AND "direction=exiting" AND "method=execute_package")

and that will return a list with all the events with this data in it :

EVENT1
12:51:35|INFO|internals.py|147| [deploy_status] deploy_status_type=info direction=exiting method=execute_package file=deploy_profile.py engine_type=was method_duration=406745
... 81 lines omitted ...
source = H:\hudson\jobs\INET-SANDBOX-SERVLETETICKET-AskDeploySwitch\builds\2016-09-06_12-4

EVENT2
12:13:47|INFO|bitvise.py|408| [b00011103134.res.bec.dk] 12:13:47|INFO|install_profile.py|860| DEPLOYMENT OF rma_test was FINISHED! 12:13:49|INFO|internals.py|147| [deploy_status] deploy_status_type=info direction=exiting method=execute_package file=deploy_profile.py engine_type=was method_duration=562156
source = H:\hudson\jobs\SWIFT-TEST-RMA-AskProfileDeploySwitch\builds\2016-09-06_12-02-46\log

As I can see it the only difference between these two events is the source information. But do not want to use that either

So in short the search string : index=bec_ci_prod ("deploy_status_type=info" AND "direction=exiting" AND "method=execute_package")

Need to return EVENT1 & EVENT2 but currently only EVENT1 is in my result

0 Karma

hsh
New Member

Hi

I think I need to clarify the search string : index=bec_ci_prod deploy_status_type=info direction=exiting method=execute_package

Does return a result however there is a certain event that should fit this search criteria, but its not in the search result.

This is the text from an event that is in the result:

09:46:15|INFO|internals.py|147| [deploy_status] deploy_status_type=info direction=exiting method=execute_package file=deploy_profile.py engine_type=http method_duration=48977

Now this is the text from the event that is NOT in the result:

12:13:49|INFO|internals.py|147| [deploy_status] file=deploy_profile.py engine_type=was method_duration=562156

I have a Unique search string that does return the specific event that should be in the result.

This string return the event:
index=bec_ci_prod SWIFT-TEST-RMA-AskProfileDeploySwitch deploy_status_type=info direction=exiting

This string does not:
index=bec_ci_prod SWIFT-TEST-RMA-AskProfileDeploySwitch deploy_status_type=info direction=exiting method=execute_package

I have no idea way this is 🙂

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

Your search terms are implicitly combined using a boolean AND operation. Any events that do not have a method field will consequentially not qualify for your result set.
In other words: You are explicitly looking for method=execute_package but that key/value pair is not present in the log event you have listed as not showing up. So, the results are as expected.

0 Karma

hsh
New Member

Hi your right the text I posted did not contain the information. I think there was a copy/paste issue.

Because the event I expect to have on my list has this data:

12:13:49|INFO|internals.py|147| [deploy_status] deploy_status_type=info direction=exiting method=execute_package file=deploy_profile.py engine_type=was method_duration=562156

And the method field is in the text. But it just not in my result set.

And the text from a event that IS shown

12:54:03|INFO|internals.py|147| [deploy_status] deploy_status_type=info direction=exiting method=execute_package file=deploy_profile.py engine_type=was method_duration=1024765

My timerange of my serach it only 1 hour on a specific date so I know that the event I except is there

I can get the event in my result by writing :

index=bec_ci_prod SWIFT-TEST-RMA-AskProfileDeploySwitch ("deploy_status_type=info" AND "direction=exiting" AND "method=execute_package")

But I need the search string to look something like this:

index=bec_ci_prod ("deploy_status_type=info" AND "direction=exiting" AND "method=execute_package")

This text: SWIFT-TEST-RMA-AskProfileDeploySwitch is different for most events

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

I have a feeling your fields arent being extracted properly. What do you get if you do the following:

index=bec_ci_prod deploy_status_type=info direction=exiting  | table deploy_status_type direction method 

Do you have any values for method? If not you need to work on your field extractions...

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...