topic Re: Show only those filetype name which came in logs , any if filetype is missed than it must show in result in Splunk ITSI

Show only those filetype name which came in logs , any if filetype is missed than it must show in result

Hemant1 — Wed, 20 Jun 2018 09:47:23 GMT

Hi , i am facing some issue with query. My question is how to show only those filetype name which came in logs. Check in lookupfile, if any if filetype is missed then it must show in result.

index=sap_bam sourcetype=sap_d059
| lookup sap_filetype.csv filetype as filetype
| dedup source
| stats count by filetype
| rename count as filecount
| eval alertme=if((filecount=0) OR isnull(filecount),1,0)
| fields sourcetype filetype filecount alertme 
| table filetype filecount alertme

Re: Show only those filetype name which came in logs , any if filetype is missed than it must show in result

DalJeanis — Wed, 20 Jun 2018 18:14:47 GMT

We've updated the title and language to clarify the question, somewhat.

Re: Show only those filetype name which came in logs , any if filetype is missed than it must show in result

DalJeanis — Wed, 20 Jun 2018 18:21:03 GMT

It's difficult to make out exactly what the use case is, but we've clarified your question as much as possible.

I believe you are trying to receive an alert when any particular "filetype" has not been seen in a certain length of time.

Here are some answers that have searches you can model

using a lookup as a base list

https://answers.splunk.com/answers/374128/how-do-i-edit-my-inputlookup-search-to-alert-on-mi.html

using tstats to generate a base list

https://answers.splunk.com/answers/3181/how-do-i-alert-when-a-host-stops-sending-data.html

Re: Show only those filetype name which came in logs , any if filetype is missed than it must show in result

woodcock — Sat, 30 Jun 2018 22:53:21 GMT

I cannot understand what you are asking. Perhaps have a colleague review the words that you are using and re-edit to add clarity.