2

I am using Splunk java SDK to search pattern from Splunk server. I am using pattern 

search index=* env=* (GET OR POST OR PUT OR DELETE) | where isNum(httpStatusCode)

when I am using this query with Java SDK, Splunk is not sending any event. But when I am querying from Splunk web app it is showing the response. My Splunk log contains two type of event. one with httpStatusCode string and another with httpStatusCode number.Both type of events are below:

Type 1

[31/Jan/2019:10:27:49.970 +0000] 10.255.0.93 "GET URL HTTP/1.1" 200 46 10 host "34*, 10.*, 54.*"
HTTP status code =200

Type 2 

[31/Jan/2019:10:27:49.961 +0000] http-nio-8080-exec-58 INFO RequestID=36de3bde-277a-4f60-82c9-2802debe0593 RequestPath=http:* RequestMethod=GET TimeTaken=3 ms
httpStatusCode =    RequestApplication=someString

How can I segregate the events which have the status of type number through Splunk rest API?

Thanks in Advance.

yash
  • 1,357
  • 2
  • 23
  • 34
Gopal Kumar
  • 147
  • 1
  • 10

1 Answers1

0

In this case, in some scenario httpstatuscode is filled with null value, you can use fillnull splunk predefined function to fill those null value with any default number. You Can use below query where, I have filled null value with 0, below query will provide both types of events. If you want to filter, add WHERE pipe as per requirement. 

search index=* env=* (GET OR POST OR PUT OR DELETE) | fillnull httpStatusCode=0

Hope this will help.

yash
  • 1,357
  • 2
  • 23
  • 34
Deepesh
  • 590
  • 6
  • 8