Splunk Search

Match multiple items in If with Top

jkat54
SplunkTrust
SplunkTrust
index="test" host="*P*" "Type=Error" 
|eval Code = if(EventCode="10034","Access Denied",if(EventCode="5749","Port Timeout",if(EventCode="5778","Failed to Process",if(EventCode="10033","Unexpected Message","Other")))) 
| top Code

This gives me the results I'm looking for, but then I noticed there were a few other errors with EventCode="10034". So I wanted to separate the errors like this:

...| eval Code = if((EventCode="10034" AND Message="*InternalWriteEvent\*"),"Access Denied",...

Only when I do that, the EventCode 10034 with a message= *InternalWriteEvent* shows up as "Other".

Here's the source:

20120812150058.000000
Category=0
CategoryString=NULL
EventCode=10034
EventIdentifier=10034
EventType=1
Logfile=Application
RecordNumber=8043256
SourceName=XLANG/s
TimeGenerated=20120812200058.000000-000
TimeWritten=20120812200058.000000-000
Type=Error
User=NULL
ComputerName=HostName
wmi_type=WinEventLog:Application
Message=xlang/s engine event log entry: Uncaught exception (see the 'inner exception' below) has suspended an instance of service '(e9e7c7bd-18f4-9e4a-3c51-1b04f61e95fb)'.
The service instance will remain suspended until administratively resumed or terminated. 
If resumed the instance will continue from its last persisted state and may re-throw the same unexpected exception.
InstanceId: 85411cad-1e68-4921-abc3-8220a148cde9
Shape name: Declare Base Log
ShapeId: 33a466b0-4e84-49b3-bb0b-ba64131545eb
Exception thrown from: segment 2, progress 19
Inner exception: Access is denied

Exception type: Win32Exception
Source: System
Target Site: Void InternalWriteEvent(UInt32, UInt16, System.Diagnostics.EventLogEntryType, System.String[], Byte[], System.String)
The following is a stack trace that identifies the location where the exception occured

   at System.Diagnostics.EventLogInternal.InternalWriteEvent(UInt32 eventID, UInt16 category, EventLogEntryType type, String[] strings, Byte[] rawData, String currentMachineName)
   at System.Diagnostics.EventLogInternal.WriteEntry(String message, EventLogEntryType type, Int32 eventID, Int16 category, Byte[] rawData)
   at System.Diagnostics.EventLog.WriteEntry(String source, String message, EventLogEntryType type, Int32 eventID, Int16 category, Byte[] rawData)
   at Orchestration.segment2(StopConditions stopOn)
   at Microsoft.XLANGs.Core.SegmentScheduler.RunASegment(Segment s, StopConditions stopCond, Exception& exp)

Any help would be appreciated.

TIA

Tags (2)
0 Karma
1 Solution

lguinn2
Legend

I would use the case function instead. Also, you can't use wildcards in either the if function or the case function. See if this works.

index="test" host="*P*" "Type=Error" 
| eval Code="Other"
| eval Code=case(EventCode=="10034" AND match(Message,"InternalWriteEvent"),"Access Denied",
                 EventCode=="5749","Port Timeout",
                 EventCode=="5778","Failed to Process",
                 EventCode=="10033","Unexpected Message")
| top Code

View solution in original post

lguinn2
Legend

I would use the case function instead. Also, you can't use wildcards in either the if function or the case function. See if this works.

index="test" host="*P*" "Type=Error" 
| eval Code="Other"
| eval Code=case(EventCode=="10034" AND match(Message,"InternalWriteEvent"),"Access Denied",
                 EventCode=="5749","Port Timeout",
                 EventCode=="5778","Failed to Process",
                 EventCode=="10033","Unexpected Message")
| top Code

jkat54
SplunkTrust
SplunkTrust

Just solved, thanks to your example.

I changed my search to this:

index="test" host="*P*" "Type=Error" | eval Code = if(EventCode="10034" AND match(Message,"InternalWriteEvent"),"Access Denied",if(EventCode="5749","Port Timeout",if(EventCode="5778","Failed to Process",if(EventCode="10033","Unexpected Message","Other")))) | top Code

The example you gave wouldnt return "Other"s but did everything else correctly. The match(Message,"InternalWriteEvent") was key!

Thanks!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...