Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Trying to remove certain strings in a aggregated operation

praddasg
Path Finder
‎02-17-2020 12:39 PM

Hello,

From the below query

  1. I am trying to remove certain strings from a field "message" or find the a specific string seems does not working, tried including but the result still has values which has this message
  2. At the same time i tried using the command to remove the strings which has in the field message but still does not seem to work

index=apps
sourcetype="pos-generic:prod" Received request to change status=CONFIRMED OR status=REJECTED
partner_account_name="Level Up"
| stats count by status, merchantId
| xyseries merchantId, status, count
| eval result = (REJECTED)/((CONFIRMED+REJECTED))*100
| fillnull value=100 result
| eval count = CONFIRMED + REJECTED
| where count >= 10
| where result >= 20

Tags (1)
0 Karma
Reply

jpolvino
Builder
‎02-17-2020 01:32 PM

Just a few observations from what you've posted.

  1. Consider putting this in double quotes: Received request to change
  2. For readability, make your stats say stats count AS Volume by status,count Then you can use Volume later on with less confusion.
  3. The stats command destroys native fields and only give you aggregated fields it produces. So you cannot access REJECTED or CONFIRMED.
  4. Can you please post what you get after your xyseries line and what you want to do with those values? Feel free to dummy up the data to hide confidential info.
Reply

praddasg
Path Finder
‎02-18-2020 06:27 AM

So when I run the query mentioned above i get the following result

alt text

The merchantID 1684264 has message "xyz" and also have REJECT count as 6. I verified all the REJECT of this merchantId has the same message.

Now I am trying to execute the query as below

index=apps
sourcetype="pos-generic:prod" Received request to change status=CONFIRMED OR status=REJECTED AND message!="xyz"
partner_account_name="Level Up"
| stats count by status, merchantId
| xyseries merchantId, status, count
| eval result = (REJECTED)/((CONFIRMED+REJECTED))*100
| fillnull value=100 result
| eval count = CONFIRMED + REJECTED
| where count >= 10
| where result >= 20

My expectation is not to show the result of merchantId = 1684264 as it has all the 6 REJECT count as this message (my expectation is getting fulfilled). When I was trying yesterday it was not, may be I was doing something wrong.

Now what I want to try is, instead of passing an exact string for the message field, i would want to pass something like message contains something like "item". So it might be "some items missing" or "items not there". So i just want to use "item" as the common

0 Karma
Reply

praddasg
Path Finder
‎02-18-2020 06:32 AM

I tried using but it is not giving me any result

0 Karma
Reply

praddasg
Path Finder
‎02-18-2020 07:20 AM

I tried using https://answers.splunk.com/answers/479010/how-to-write-a-search-with-the-condition-if-field1.html but no help either

0 Karma
Reply

praddasg
Path Finder
‎02-18-2020 07:47 AM

ok i used something like
| regex message != "item"

not sure if this would have any further complication. Checking

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...