Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to filter results of a 2nd search from the main search

D_Rai
New Member
‎01-16-2024 12:26 AM

I have a use case where I want to setup Splunk Alerts for certain Exception events. I have already defined standard Error messages for these individual Exceptions. Below is a sample use case:

Exception Event 1:                                  Exception Event 2:

Standard Error Message 1                  Common Message

Common Message

In the above use case, when Exception Event 1 happens, it outputs 2 messages to the Log (Standard Error Message 1 and Common Message). When Exception Event 2 happens, it only outputs the Common Message to the log.

For defining Splunk Alert for the Event 1, I want to ensure that I am checking the 2 counts of search results matching both the Message 1 and Common Message to ensure that both these searches return the same results count for a given time period. Is it possible to achieve this type of Splunk query using eval and If statement?

My objective is to ensure that I am able to accurately identify scenario for the Exception Event 1 occurring where both the messages would be output to the logs in the same count.

 

 

 

 

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-16-2024 02:19 AM

The answer to the question if it can be achieved _only_ using evals and ifs is almost definitely "no".

It needs a bit more than that.

While your question is a bit vague and it could use some literal examples (possibly anonymized), I assume that you need something like this:

<your index> ((<conditions for error message1>) OR (<conditions for common message>))
| eval message1=if(searchmatch("<conditions for error message1>"),1,0)
| eval commonmessage=if(searchmatch("<conditions for common message>"),1,0)
| stats sum(message1) sum(commonmessage)

Something like this will give you count of your respective messages over your search window. If those numbers differ, you'll know that you have more messages of one kind than the other.

BTW, the searchmatch() is probably not the most efficient way to categorize those events so if you can specify the rules in a simpler way (for example, match a particular field's value) it will probably be beneficial for the search performance

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...