Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can find the string in event but count, timechart, where does not work

maximusdm
Communicator
‎04-14-2017 12:29 PM

hi there, new to Splunk here..question:

Event log:
4/14/2017 16:00:00 +0000, blah blah...., statusCode="'20'", status_text="Material not found or deleted.", Description="1 occurrences of status code '20': Material not found or deleted.

This works:

index=blahlah status_text="*Material not found or deleted.*"
index=blahlah Description="*Material not found or deleted.*"

This WILL NOT work:

index=blah blah
| timechart span=1h count(eval(Description="*Material not found or deleted.*")) AS Occurences
| where Occurences > 0

index=blah blah
| timechart span=1h count(eval(status_text="*Material not found or deleted.*")) AS Occurences
| where Occurences > 0

index=blah blah
| where status_text="*Material not found or deleted*"

Thank you

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-14-2017 12:50 PM

Wildcards are not universal among SPL commands. Try using match or like in your eval commands.

... count (eval (like (Description, "%Material not found or deleted.%"))) ...

... count (eval (match (Description, "Material not found or deleted"))) ...
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

acharlieh
Influencer
‎04-14-2017 12:57 PM

The problem that you're running into is that search and where / eval are fundamentally different commands.

A search for foo="bar*" looks for events where the foo field starts with bar (case insensitively). Whereas a where filter for foo="bar*" looks for events where the foo field is exactly the string bar*.

For some examples:

| makeresults count=10 | streamstats count | eval foo=case(count%2==0,"Barz",1==1,"bar*") 
| search foo="bar*"

Returns all 10 events

| makeresults count=10 | streamstats count | eval foo=case(count%2==0,"Barz",1==1,"bar*") 
| where foo="bar*"

Returns the 5 odd numbered events only

| makeresults count=10 | streamstats count | eval foo=case(count%2==0,"Barz",1==1,"bar*") 
| stats count(eval(searchmatch("foo=\"Bar*\""))) as searchmatch count(eval(foo="Bar*")) as nomatch

Returns searchmatch=10, nomatch=0

If you want wildcarding with eval/where you may want to look into some functions for eval namely, the like, match, and searchmatch functions.

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-14-2017 12:50 PM

Wildcards are not universal among SPL commands. Try using match or like in your eval commands.

... count (eval (like (Description, "%Material not found or deleted.%"))) ...

... count (eval (match (Description, "Material not found or deleted"))) ...
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

maximusdm
Communicator
‎04-14-2017 01:50 PM

thank you. that worked nicely.

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...