Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

If there are two statements in a log, how to set a custom message if those two statements are existing in one log

mnarmada
Path Finder
‎08-04-2019 11:41 AM

Hello All,

Here is my sample data.

"****19:30:06 C:\Pelibib\MBX\20190618193001755_MA07.MBX processed and deleted****
19:30:06 === Step #05 - Calling C:\Pelibib\SEM\AFTER.pl
19:30:06  - Running Program AFTER.pl
19:30:06 PELAP.pl Unable access to server C:\PELIDATA\F05X\REC\F0566811.TXT
19:30:09 BEFORE call C:\Pelint\Server\run_time\tmp\TR601323.BAT
19:30:09 O 601323 PAHKP102 PMGTN901 C:\PELIBIB\STD\EMI\PMGTN901-MA07-MA07AE_2019618.TXT_20190618193001755 MA07-169000398PSG2N802
19:30:09 AFTER call C:\Pelint\Server\run_time\tmp\TR601323.BAT
**19:30:09 O 601323 FILE C:\PELIBIB\STD\EMI\PMGTN901-MA07-MA07AE_2019618.TXT_20190618193001755 sended and deleted** "

My case is:
If two sentences which are below:
19:30:06 C:\Pelibib\MBX\20190618193001755_MA07.MBX processed and deleted
19:30:09 O 601323 FILE C:\PELIBIB\STD\EMI\PMGTN901-MA07-MA07AE_2019618.TXT_20190618193001755 sended and deleted

If the above two statements are present in one log, then I have to show it as "File Received" and if only processed and deleted sentence there(i.e., 19:30:06 C:\Pelibib\MBX\20190618193001755_MA07.MBX processed and deleted) and there is no sended and deleted sentence in the log, then I have to show it as "File stuck in XYZ folder".
But I am not able to use it properly and not getting any Idea how to use it in splunk.

Please help me with your thoughts.

I have tried like below, but which of no use:

index=idx_rfs7 sourcetype=st_fs7_pelican_logs | regex "FILE\s+C\W+PELIBIB\WSTD\WEMI\W.*\W(?P<AVIEXP_SENT>MA07)\W[A-Z]{2}\d{2}[A-Z]{2}\S\d{6,8}" | stats count as "File_Received" by _time 
| append [search index=idx_rfs7 sourcetype=st_fs7_pelican_logs
| regex "\d{1,2}:\d{1,2}:\d{1,2}\sC\W+Pelibib\WMBX\W\d{16,18}_(?P<AVIEXP_PROCESSED>MA07)\WMBX\sprocessed\sand\sdeleted"
| stats count as "File_Processed" by _time]
| eval Status=if(File_Received=File_Processed, "File Received", "File Stuck in INFERTEXT Folder")

Many Thanks in Advance!!

0 Karma
Reply

prabhakar_ps
Explorer
‎08-05-2019 08:21 AM

Hi
Please check if this helps..
I have added below line to your file to make sure we proceess both output you are looking for..
19:30:06 C:\Pelibib\MBX\20190618193001754_MA07.MBX processed and deleted
Add index and sourcetype before mentioned query..

| search _raw=*MA07*
| rex field=_raw "\WMBX\W(?\d+)_MA07.MBX\s(?.*)and deleted"
| rex field=_raw "\.TXT_(?\d+)\s(?.*)and deleted"
| stats values(status) as status by file_name
| eval status=mvjoin(status,",")
| search status!=*sended
| eval Result=if(like(status, "%processed ,sended%"), "File_received", "File_stuck_somewhere")

output would look like

file_name status Result
20190618193001754 processed File_stuck_somewhere
20190618193001755 processed ,sended File_received

0 Karma
Reply

prabhakar_ps
Explorer
‎08-04-2019 07:04 PM

alt text

Are you looking something like this ? If so just add your index and sourcetype in first line..

Preview file
1 KB
0 Karma
Reply

mnarmada
Path Finder
‎08-04-2019 10:52 PM

Thanks for your response!!

There are lot of "sended and deleted" and "processed and deleted" statements/sentences in my log. I have given only one simple stanza of data.

I have tried with you comments. But it is taking all 4394 events and showing status when there is processed and deleted and sended and deleted.
That is not needed.

The condition is when there are both the statements present which are "processed and deleted" with MA07 code in path, which is file name and "sended and deleted" with MA07 file name then file received. If only "processed and deleted" is present then file stuck somewhere.

For reference please find this, adding one more stanza which is available in log.
Note: there are lot of files like this but only MA07 need to be checked.

19:20:11 C:\Pelibib\MBX\20190618192001754_MA09.MBX processed and deleted
19:20:11 === Step #05 - Calling C:\Pelibib\SEM\AFTER.pl
19:20:11  - Running Program AFTER.pl
19:20:11 PELAP.pl Unable access to server C:\PELIDATA\F05X\REC\F0566811.TXT
19:20:12 PELAP.pl Unable access to server C:\PELIDATA\MC25\REC\F0575784.TXT
19:20:12 PELAP.pl Unable access to server C:\PELIDATA\MC24\REC\F0586633.TXT
19:20:12 PELAP.pl Unable access to server C:\PELIDATA\MC28\REC\F0586634.TXT
19:20:12 PELAP.pl Unable access to server C:\PELIDATA\MC24\REC\F0586635.TXT
19:20:12 PELAP.pl Unable access to server C:\PELIDATA\MC28\REC\F0586636.TXT
19:20:12 PELAP.pl Unable access to server C:\PELIDATA\MC25\REC\F0586637.TXT
19:20:12 PELAP.pl Unable access to server C:\PELIDATA\MC30\REC\F0586638.TXT
19:20:13 PELAP.pl Unable access to server C:\PELIDATA\MB97\REC\F0586639.TXT
19:20:13 PELAP.pl Copy file C:\PELIBIB\STD\RECEP\F0601320 on C:\PELIDATA\F05X\REC\F0601320.TXT
19:20:15 === Step #06 - Calling C:\Pelibib\UTI\SCANNEREXIT.pl C:\Pelibib\LOGSCANNER\20190618.LOG
19:20:16 === Step #07 - PSG2N802 End of Pelsem.bat ***
19:20:16 Step #4 - PSG2N802 End of Pelsem.bat ***
19:20:28 BEFORE call C:\Pelint\Server\run_time\tmp\TR601322.BAT
19:20:28 O 601322 PAHKP102 PMGTN901 C:\PELIBIB\STD\EMI\PMGTN901-MA09-MA09JPJDE_AL20190618.TXT_20190618192001754 MA09-169000397PSG2N802
19:20:28 AFTER call C:\Pelint\Server\run_time\tmp\TR601322.BAT
19:20:28 O 601322 FILE C:\PELIBIB\STD\EMI\PMGTN901-MA09-MA09JPJDE_AL20190618.TXT_20190618192001754 sended and deleted
19:20:29 le fichier STDOUT=c:\pelint\server\run_time\tmp\XPR601322.out
*---------------------------------------------------------------------**
------------------
19:30:05 POST -bd "" PMGTN901 MA07 C:\PELIBIB\STD\EMI\PMGTN901-MA07-2019618.TXT_20190618193001755 PAHKP102 "LFI16P_AE" ""
19:30:06 C:\Pelibib\MBX\20190618193001755_MA07.MBX processed and deleted
19:30:06 === Step #05 - Calling C:\Pelibib\SEM\AFTER.pl
19:30:06  - Running Program AFTER.pl
19:30:06 PELAP.pl Unable access to server C:\PELIDATA\F05X\REC\F0566811.TXT
19:30:07 PELAP.pl Unable access to server C:\PELIDATA\MC25\REC\F0575784.TXT
19:30:07 PELAP.pl Unable access to server C:\PELIDATA\MC24\REC\F0586633.TXT
19:30:07 PELAP.pl Unable access to server C:\PELIDATA\MC25\REC\F0586637.TXT
19:30:07 PELAP.pl Unable access to server C:\PELIDATA\MC30\REC\F0586638.TXT
19:30:07 PELAP.pl Unable access to server C:\PELIDATA\MB97\REC\F0586639.TXT
19:30:09 BEFORE call C:\Pelint\Server\run_time\tmp\TR601323.BAT
19:30:09 O 601323 PAHKP102 PMGTN901 C:\PELIBIB\STD\EMI\PMGTN901-
19:30:09 O 601323 TRTTAB.pl MA07 PAHKP102  2 => CALL EXITS\E_XXXX_E.CMD
19:30:09 AFTER call C:\Pelint\Server\run_time\tmp\TR601323.BAT
19:30:09 O 601323 FILE C:\PELIBIB\STD\EMI\PMGTN901-MA07-MA07AE_2019618.TXT_20190618193001755 sended and deleted

Thanks

0 Karma
Reply

woodcock
Esteemed Legend
‎08-04-2019 06:19 PM

Like this:

index=idx_rfs7 sourcetype=st_fs7_pelican_logs
| regex "FILE\s+C\W+PELIBIB\WSTD\WEMI\W.*\W(?<AVIEXP_SENT>MA07)\W[A-Z]{2}\d{2}[A-Z]{2}\S\d{6,8}"
| regex "\d{1,2}:\d{1,2}:\d{1,2}\sC\W+Pelibib\WMBX\W\d{16,18}_(?<AVIEXP_PROCESSED>MA07)\WMBX\sprocessed\sand\sdeleted"
| stats count(eval(AVIEXP_SENT)) AS received count(eval(AVIEXP_PROCESSED)) AS processed BY source
| where received != processed
0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...