1

I have an event log in Splunk that looks like this:

{ 
  "event": { 
    "Id":"12345",
    "Name": "My Event",
    "Inputs": {
      "Param1":"some value",
      "Param2":"another value"
    },
    "Result": {
      "statusCode":"304"
    }
  }
}

I need to get the value of the statusCode from the Result to determine what kind of error I received. Currently, I'm using the following Splunk query:

index="myIndex"
sourcetype="*"
| spath=event
| fields
  _time
  Name
  Result.statusCode
| eval _status="tbd"
| eval _code=statusCode
| eval _code=case(statusCode>=200 AND statusCode<300, "OK", statusCode>=300 AND statusCode<400, "Redirected", statusCode>=400 AND statusCode<500, "User Error", statusCode>500, "Server Error")
| rename
  Name as RequestName
  _code as StatusCode
  _status as Status
| table
  _time
  RequestName
  Status
  StatusCode
  Result.statusCode

The above is a port of the actual query in an effort to isolate the issue. Still, the issue is when I run my query, I can see:

  • _time
  • RequestName
  • Status
  • Result.statusCode

Oddly, and the part that is confusing me is, I cannot see StatusCode. I need a variable to do additional processing which is why I have the eval _code statement. However, I'm not having any using Result.statusCode as a variable. What am I missing?

Dev
  • 921
  • 4
  • 14
  • 31

1 Answers1

1

Avoid leading underscores in field ("variable") names as they are hidden by default. Some can only be used after assigning their values to another field.

Also, creating a field and then renaming it is unnecessary unless the final field name will contain spaces or special characters.

It looks like something is missing from the query since only the _time and Result.statusCode fields exist, but statusCode is used often. The case function will return null if statusCode does not exist. The Name field also doesn't exist so I don't understand how you can see RequestName.

index="myIndex"
sourcetype="*"
| spath event
| fields
  _time
  Result.statusCode
| eval Status="tbd", statusCode='Result.statusCode'
| eval StatusCode=case(statusCode>=200 AND statusCode<300, "OK", 
                       statusCode>=300 AND statusCode<400, "Redirected", 
                       statusCode>=400 AND statusCode<500, "User Error", 
                       statusCode>500, "Server Error",
                       1==1, statusCode)
| rename
  Name as RequestName
| table
  _time
  RequestName
  Status
  StatusCode
  Result.statusCode
RichG
  • 9,063
  • 2
  • 18
  • 29
  • Thank you for your response. I forgot to put `Name` in my list of fields when I copied it over. Still, my issue is with the `StatusCode`. Even if I just do a `eval MyStatusCode=statusCode` or `eval MyStatusCode=Result.statusCode`, I still do not see it in the final `table`. I do see `Result.statusCode` though. – Dev May 17 '22 at 12:08
  • 2
    As I mentioned in my answer, there is no field called "statusCode" so the the `case` function assigns a null value to StatusCode. Use `eval statusCode='Result.statusCode'` (the single quotes are required) to assign a value. See my updated answer. The single quotes prevent `eval` from interpreting the `.` as the concatenation operator. – RichG May 17 '22 at 12:55
  • The single quotes took care of it for me! Thank you! – Dev May 17 '22 at 15:56