7

In Splunk search query how to check if log message has a text or not?

Log message:

message:     2018-09-21T07:15:28,458+0000 comp=hub-lora-ingestor-0 [vert.x-eventloop-thread-0] INFO  com.nsc.iot.hono.receiver.HonoReceiver - Connected successfully, creating telemetry consumer ...

and I want to check if message contains "Connected successfully, creating telemetry consumer ..." and based on this want to assign 1 or 0 to a variable

Splunk search Query

(index="05c48b55-c9aa-4743-aa4b-c0ec618691dd" ("Retry connecting in 1000ms ..." OR "Connect or create consumer failed with exception" OR "Connected successfully, creating telemetry consumer ...")) 
| rex field=_raw ^(?:[^ \n]* ){7}(?P<success_status_message>\w+\s+\w+,\s+\w+\s+\w+\s+\w+)"
| timechart count as status | eval status=if(isnull(success_status_message), 0, 1)

success_status_message is always null

Improve this question
2
  • You seem to have answered your own question.
    – RichG
    Commented Sep 21, 2018 at 14:11
  • @RichG no it's not working
    – Pratap A.K
    Commented Sep 22, 2018 at 3:08

1 Answer 1

Reset to default
7

Part of the problem is the regex string, which doesn't match the sample data. Another problem is the unneeded timechart command, which filters out the 'success_status_message' field. Try this search:

(index="05c48b55-c9aa-4743-aa4b-c0ec618691dd" ("Retry connecting in 1000ms ..." OR "Connect or create consumer failed with exception" OR "Connected successfully, creating telemetry consumer ..."))
| rex "\s-\s(?P<success_status_message>.*)" 
| eval status=if(match(success_status_message, "Connected successfully, creating telemetry consumer"), 1, 0)
Improve this answer
3
  • If I don't use the timechart how can I visualize 1 and 0 on a chart?
    – Pratap A.K
    Commented Sep 23, 2018 at 2:58
  • Add your chart or timechart command after the eval. ... | timechart count by status
    – RichG
    Commented Sep 23, 2018 at 12:26
  • thanks.. this was a big help. I used | timechart latest(status) as status span=10m to achieve my requirement
    – Pratap A.K
    Commented Sep 24, 2018 at 4:57

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Not the answer you're looking for? Browse other questions tagged or ask your own question.