- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to create a dashboard search with the conditio...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to create a dashboard search with the condition "If status is not success, show error code, type, and message on the same row"?
I want to create a dashboard with a table listing integration name and execution status with the following condition:
If execution status is different than success -> on same row, show error code, error type, and error message
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I extracted Log.Execution.Status as a field , and now its pulls up all the status
How do i add another row in the table for this logic
If execution status is different than success -> on same row, show error code, error type, and error message
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming the fields integrationName, executionStatus (success/failure), errorCode, errorType and errorMessage are already extracted use below
yourQuery to return all the fields
| table integrationName, executionStatus, errorCode, errorType and errorMessage | where executionStatus!="success"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=ko_mulesoft source="*" source="*" "LOG.Execution.Status"="*" | table source, LOG.Execution.Status
Above search got me 278 3 results.
Next part to achieve is
if execution status is different than success -> on same row, show error code, error type and error message
How do I achieve that?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looks like the "LOG.Execution.Status" is part of your data as a string and not as a field. You need to first extract the fields from your data strings
How to extract fields, see here:
http://docs.splunk.com/Documentation/Splunk/6.5.0/Knowledge/ExtractfieldsinteractivelywithIFX
http://docs.splunk.com/Documentation/Splunk/6.5.0/Knowledge/Managesearch-timefieldextractions
Once the fields are extracted then you should run the query I put in where each of these is a Field in which your event data is saved as a result.
integrationName, executionStatus, errorCode, errorType and errorMessage
Else if you can paste your mulesoft log line here which has all the required data which you want to extract info from so I can assist you with the fields extraction.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
