Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to find users that had only errors for certain event?

dsnytkine
Engager
‎03-14-2018 06:40 AM

We have log entries in format like this:

LogLevel=info  username=some1 eventID=update

So in case of error the LogLevel will be LogLevel=error
LogLevel can also be debug

What I need to do is to find all users that had eventID=update but always had LogLevel=error and present them in table format
Username | count

If I simply search
eventID=update LogLevel=error then I will get all matching entries for users with LogLevel=error but some of these users probably also had entries with LogLevel=info (or debug)
How do I find users that had only LogLevel=error with this eventID?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tiagofbmm
Influencer
‎03-14-2018 07:46 AM

This gets you all the users with eventID="update" and only had log_level equals to error.

index=yourindex eventID="update"
| stats sum(eval(if(log_level!="error",1,0))) as HadOtherLogLevels by user
| where HadOtherLogLevels==0

Was this what you intended?

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

tiagofbmm
Influencer
‎03-14-2018 07:46 AM

This gets you all the users with eventID="update" and only had log_level equals to error.

index=yourindex eventID="update"
| stats sum(eval(if(log_level!="error",1,0))) as HadOtherLogLevels by user
| where HadOtherLogLevels==0

Was this what you intended?

0 Karma
Reply
Solved! Jump to solution

dsnytkine
Engager
‎03-14-2018 07:48 AM

Sounds like this is what I need. Is this the most efficient way? Thank you, I will test the solution.

0 Karma
Reply
Solved! Jump to solution

dsnytkine
Engager
‎03-14-2018 07:54 AM

Yes, it worked, thank you. I'm wondering how common is this scenario?

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎03-14-2018 10:33 AM

Splunk's _internal logs also maintains log_level as "INFO", "ERROR","WARN" and "FATAL". So with a query like this you can search for the Splunk component which has always thrown error. For example after upgrade, install or config change etc. to isolate the issue. There could be several different use cases on similar lines.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

tiagofbmm
Influencer
‎03-14-2018 07:56 AM

Great. Honestly never had seen that requirement, but it is under the normal logic of splunk things

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎03-14-2018 07:44 AM

@dsnytkine, can you please try the following?

<YourBaseSeach> LogLevel="*" eventID="update"
| stats dc(LogLevel) as distinctCountLogLevel values(LogLevel) as LogLevels by username
| search distinctCountLogLevel=1 AND LogLevels="ERROR"

The values() statistical function gives unique values of LogLevel. Similarly dc() gives distinct count of LogLevel values. So only results filtered are those which have only one unique LogLevel and that value is ERROR.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

dsnytkine
Engager
‎03-14-2018 09:56 AM

Looks like it worked too, very interesting solution.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...