Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Match multiple items in If with Top
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jkat54
SplunkTrust
08-13-2012
09:23 AM
index="test" host="*P*" "Type=Error"
|eval Code = if(EventCode="10034","Access Denied",if(EventCode="5749","Port Timeout",if(EventCode="5778","Failed to Process",if(EventCode="10033","Unexpected Message","Other"))))
| top Code
This gives me the results I'm looking for, but then I noticed there were a few other errors with EventCode="10034". So I wanted to separate the errors like this:
...| eval Code = if((EventCode="10034" AND Message="*InternalWriteEvent\*"),"Access Denied",...
Only when I do that, the EventCode 10034 with a message= *InternalWriteEvent* shows up as "Other".
Here's the source:
20120812150058.000000
Category=0
CategoryString=NULL
EventCode=10034
EventIdentifier=10034
EventType=1
Logfile=Application
RecordNumber=8043256
SourceName=XLANG/s
TimeGenerated=20120812200058.000000-000
TimeWritten=20120812200058.000000-000
Type=Error
User=NULL
ComputerName=HostName
wmi_type=WinEventLog:Application
Message=xlang/s engine event log entry: Uncaught exception (see the 'inner exception' below) has suspended an instance of service '(e9e7c7bd-18f4-9e4a-3c51-1b04f61e95fb)'.
The service instance will remain suspended until administratively resumed or terminated.
If resumed the instance will continue from its last persisted state and may re-throw the same unexpected exception.
InstanceId: 85411cad-1e68-4921-abc3-8220a148cde9
Shape name: Declare Base Log
ShapeId: 33a466b0-4e84-49b3-bb0b-ba64131545eb
Exception thrown from: segment 2, progress 19
Inner exception: Access is denied
Exception type: Win32Exception
Source: System
Target Site: Void InternalWriteEvent(UInt32, UInt16, System.Diagnostics.EventLogEntryType, System.String[], Byte[], System.String)
The following is a stack trace that identifies the location where the exception occured
at System.Diagnostics.EventLogInternal.InternalWriteEvent(UInt32 eventID, UInt16 category, EventLogEntryType type, String[] strings, Byte[] rawData, String currentMachineName)
at System.Diagnostics.EventLogInternal.WriteEntry(String message, EventLogEntryType type, Int32 eventID, Int16 category, Byte[] rawData)
at System.Diagnostics.EventLog.WriteEntry(String source, String message, EventLogEntryType type, Int32 eventID, Int16 category, Byte[] rawData)
at Orchestration.segment2(StopConditions stopOn)
at Microsoft.XLANGs.Core.SegmentScheduler.RunASegment(Segment s, StopConditions stopCond, Exception& exp)
Any help would be appreciated.
TIA
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lguinn2
Legend
08-13-2012
10:23 AM
I would use the case function instead. Also, you can't use wildcards in either the if function or the case function. See if this works.
index="test" host="*P*" "Type=Error"
| eval Code="Other"
| eval Code=case(EventCode=="10034" AND match(Message,"InternalWriteEvent"),"Access Denied",
EventCode=="5749","Port Timeout",
EventCode=="5778","Failed to Process",
EventCode=="10033","Unexpected Message")
| top Code
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lguinn2
Legend
08-13-2012
10:23 AM
I would use the case function instead. Also, you can't use wildcards in either the if function or the case function. See if this works.
index="test" host="*P*" "Type=Error"
| eval Code="Other"
| eval Code=case(EventCode=="10034" AND match(Message,"InternalWriteEvent"),"Access Denied",
EventCode=="5749","Port Timeout",
EventCode=="5778","Failed to Process",
EventCode=="10033","Unexpected Message")
| top Code
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jkat54
SplunkTrust
08-27-2014
03:25 PM
Just solved, thanks to your example.
I changed my search to this:
index="test" host="*P*" "Type=Error" | eval Code = if(EventCode="10034" AND match(Message,"InternalWriteEvent"),"Access Denied",if(EventCode="5749","Port Timeout",if(EventCode="5778","Failed to Process",if(EventCode="10033","Unexpected Message","Other")))) | top Code
The example you gave wouldnt return "Other"s but did everything else correctly. The match(Message,"InternalWriteEvent") was key!
Thanks!
Get Updates on the Splunk Community!
Extending Observability Content to Splunk Cloud
Watch Now!
In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...
More Control Over Your Monitoring Costs with Archived Metrics!
What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...
New in Observability Cloud - Explicit Bucket Histograms
Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...
