Splunk Search

Case and Match do not retrieve the right results

amunag439
Explorer

I have the following logs where the output can be from application or database or from third party source.

id=11111 req=getresult from app msg=from application status=200
id=2222 req=getresult from db msg=result from db status=200
id=3333 req=getresult from others msg=third party status=200

Using the above logs, I want to calculate the success rate from each source. Found eval is the best option to use.

host=Test sourcetype="test*" source="test.log" "req=getresult*" 
| rex "status=(?<http_status>\d{3})"  
| eval success= case(match(msg,"from application"), "Application", 
                      match(msg, "result from db"), "DB", 1=1, "Third party")  
| where http_status=200 | stats count by success

But the result is not right. I get the count of all the events as Third party. What I'm missing here?

0 Karma

woodcock
Esteemed Legend

The automatic field extraction that you get from KV_MODE = auto will extract values of from or result for msg which is insufficient/incorrect. You should do your own field extractions but in the meantime you can do this:

host=Test sourcetype="test*" source="test.log" "req=getresult*" 
| rex "status=(?<http_status>\d{3})" 
| where http_status=200
| eval success= case(
   match(_raw, "msg=from application"), "Application", 
   match(_raw, "msg=result from db"), "DB",
   true(), "Third party")  
| stats count BY success
0 Karma

jawaharas
Motivator

Are you parsing 'msg' field properly?

host=Test sourcetype="test*" source="test.log" "req=getresult*" 
| rex "status=(?<http_status>\d{3})" 
| table msg, http_status

Is above code return below result?
from application 200
result from db 200
third party 200

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...