Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to filter results of a 2nd search from the main search

D_Rai
New Member
‎01-16-2024 12:26 AM

I have a use case where I want to setup Splunk Alerts for certain Exception events. I have already defined standard Error messages for these individual Exceptions. Below is a sample use case:

Exception Event 1:                                  Exception Event 2:

Standard Error Message 1                  Common Message

Common Message

In the above use case, when Exception Event 1 happens, it outputs 2 messages to the Log (Standard Error Message 1 and Common Message). When Exception Event 2 happens, it only outputs the Common Message to the log.

For defining Splunk Alert for the Event 1, I want to ensure that I am checking the 2 counts of search results matching both the Message 1 and Common Message to ensure that both these searches return the same results count for a given time period. Is it possible to achieve this type of Splunk query using eval and If statement?

My objective is to ensure that I am able to accurately identify scenario for the Exception Event 1 occurring where both the messages would be output to the logs in the same count.

 

 

 

 

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-16-2024 02:19 AM

The answer to the question if it can be achieved _only_ using evals and ifs is almost definitely "no".

It needs a bit more than that.

While your question is a bit vague and it could use some literal examples (possibly anonymized), I assume that you need something like this:

<your index> ((<conditions for error message1>) OR (<conditions for common message>))
| eval message1=if(searchmatch("<conditions for error message1>"),1,0)
| eval commonmessage=if(searchmatch("<conditions for common message>"),1,0)
| stats sum(message1) sum(commonmessage)

Something like this will give you count of your respective messages over your search window. If those numbers differ, you'll know that you have more messages of one kind than the other.

BTW, the searchmatch() is probably not the most efficient way to categorize those events so if you can specify the rules in a simpler way (for example, match a particular field's value) it will probably be beneficial for the search performance

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...