We have JSON logs being stored in Splunk. A sample log record looks like :
{
data:
{
"hostname":"http://server.com",
"uri":"/api/something/",
"service":"service_1",
"http_status_code":"500"
}
}
The following search query (to find endpoints which throw 5xx errors) runs against a schedule and puts the results in a KVStore (lookup table) :
host=data_source "data{}.http_status_code"= 5* | eval endpoint_url='data{}.hostname'+'data{}.uri' | stats count(endpoint_url) as error-count by endpoint_url | outputlookup 5xx-error-lookup
The requirement now is that, we have to only show endpoints (results) that were not part of the previous search.
I am able to filter results against a simple field like service_name with something like.
host=data_source "data{}.http_status_code"= 5* NOT [| inputlookup 5xx-error-lookup | fields service-name | rename service-name as data{}.service_name ] | eval endpoint_url='data{}.hostname'+'data{}.uri' | stats count(endpoint_url) as error-count by endpoint_url
What I'd actually want to do is to split the endpoint_url to 'hostname' and 'uri' and filter results based on a match for BOTH these fields. Any inputs please?
Thanks in advance.
↧