Splunk Search

Searching a particular field and performing actions based on its presence and value

kdulhan
Explorer

My application logs will print each record with id. If the record has any error, it will display the Error field else it won't. I want to look for the error field in each record, if present I have to look for the values in Error field. If 'A', I have to increase the count for Error Code as 503 by 1, if 'B', I have to increase the count for Error Code as 504 by 1 and if Error field is not present in the record, I have to increase the count for response code of 200 by 1.

woodcock
Esteemed Legend

Actually, I think that I took you too literally in the other answer. I think that what you are really needing is aggregation counts like this:

 |makeresults | eval raw="Timestamp: 2017-31-08 21:00:01 alpha-transform-id=random generated id, [Response] Service = alpha-transform, ResponseTime=200ms:::Timestamp: 2017-31-08 21:00:03 alpha-transform-id=random generated id, [Error Response] Service = alpha-transform, ResponseTime=200ms, Error='A'"
 | makemv delim=":::" raw
 | mvexpand raw
 | rename raw AS _raw
 | kv

 | rename COMMENT AS "Everything above generates sample event data; everything below is your solution."

 | eval returnCode=case(Error="'A'", "503",
                        Error="'B'", "504",
                        true(),      "200")
 | stats count by returnCode
0 Karma

kdulhan
Explorer

My Initial search condition is =>
ndex=ltm1_idx ns=app1 Service='trigger1' Id!='temp-12' | Search ErrorResponse

This will result in the event where I will get the Id's other then temp-12 e.g. 100, 123, 124, etc. Now I need to search using that Id value e.g. Id=100 and get an ActNo field value.

e.g. Event => ndex=ltm1_idx ns=app1 Service='trigger1' Id='100' ActNo=A123.

Now get this Account No field and check for its value either A123 or Not A123. If A123, add a counter to field1 and if not A123, add a counter to field2. And displaying the values of field 1 and field 2 for all the events found in Initial search above over a period of time.

0 Karma

kdulhan
Explorer

In order to search for the error records, I use :
ns=app1 Service='trigger1' Id!='temp-100' | Search ErrorResponse

Here I get an event like:
timestamp ns=app1 [ErrorResponse] Service='trigger1' id=105 ActNo=1234

Now I have to fetch this ActNo field and search with only ActNo=1234. It will list many events and in those I have to look for a field appId = 'New1'. If New1, I have to add it to a counter1 else counter2.

Thank you!

0 Karma

woodcock
Esteemed Legend

I believe you started over in another Question on answers that is better formulated, right?

0 Karma

kdulhan
Explorer

Yes. And apologies for changing the contents as I was also not sure on the pattern of events I was getting. Thank you!

0 Karma

woodcock
Esteemed Legend

No problem; it just means that this Q&A are dead. Nothing to see. Move along.

0 Karma

woodcock
Esteemed Legend

Do it like this (probably not, though, see other answer):

|makeresults
| eval raw="Timestamp: 2017-31-08 21:00:01 alpha-transform-id=random generated id, [Response] Service = alpha-transform, ResponseTime=200ms:::Timestamp: 2017-31-08 21:00:03 alpha-transform-id=random generated id, [Error Response] Service = alpha-transform, ResponseTime=200ms, Error='A'"
| makemv delim=":::" raw
| mvexpand raw
| rename raw AS _raw
| kv

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution."

| eval fieldToInc=case(Error="'A'", "503",
                       Error="'B'", "504",
                       true(),      "200")
| eval {fieldToInc}_T3mP = 1
| foreach *_T3mP [eval "<<MATCHSTR>>" = if(isnotnull($<<FIELD>>$), if(isnull($<<MATCHSTR>>$), 1, $<<MATCHSTR>>$ + 1), null()) ]
| fields - fieldToInc *_T3mP
0 Karma

kdulhan
Explorer

Examples of events:

Without error:
Timestamp: 2017-31-08 21:00:01 alpha-transform-id=random generated id, [Response] Service = alpha-transform, ResponseTime=200ms ....

With error:
Timestamp: 2017-31-08 21:00:03 alpha-transform-id=random generated id, [Error Response] Service = alpha-transform, ResponseTime=200ms, Error='A' ....

Kindly let me know if I just put Index and Namespace in search bar and got above two records as an example. How can I search for Error field and then evaluate based on its value to assign a right error code.

0 Karma

woodcock
Esteemed Legend

I don't get it. This kind of situation always benefits from sample event data and desired mockup of final output.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...