Using splunk `searchmatch`

Question

I have some logs from another system to which I need to run a query as follows and I can't modify the way the other system is logging.

index=some-index event=RequestLogging foo OR bar 
| eval errorCount=if(searchmatch("NOT (((foo LABEL1 LABEL2) OR (bar LABEL3 LABEL4)) LABEL5 LABEL6)"), 1, 0)
| stats count as total sum(errorCount) as error
| eval rate=error/total*100

I have logs that has either foo or bar:

For foo I am expecting LABEL1, LABEL2 to be present along with LABEL5 and LABEL6. For bar I am expecting LABEL3, LABEL4 to be present along with LABEL5 and LABEL6.

LABEL5 and LABEL6 are common to both foo and bar

For example for foo, in the logs I expect it as:

event=RequestLogging  foo LABEL1=[value=xyz description=desc1 metadata=[]] LABEL2=[value=abc description=desc2 metadata=[]] LABEL5=[value=def description=desc3 metadata=[]] LABEL6=[value=ghi description= metadata=[]]

My query runs fine and returns error if any of the labels are missing.

An additional req is to ensure that the value field in the label shouldn't be blank.

Example: LABEL5=[value= description= metadata=[]]

The other system logs the value as empty whereas I expect it to have something like:

LABEL5=[value=123 description= metadata=[]]

When I attempted something like this, it didn't work:

"*LABEL5=[value= description*"

index=some-index event=RequestLogging foo OR bar 
| eval errorCount=if(searchmatch("NOT (((foo LABEL1 LABEL2) OR (bar LABEL3 LABEL4)) "*LABEL5=[value= description*" LABEL6)"), 1, 0)
| stats count as total sum(errorCount) as error
| eval rate=error/total*100

How can I update my query to check if value is blank?

If I run it like this then it worked, at least, displaying those logs that have LABEL5's value as blank.

index=some-index event=RequestLogging foo or bar  "*LABEL5=[value= description*"

Using splunk `searchmatch`

Answers (1)

Related Questions