https://community.splunk.com/t5/Splunk-Search/Identify-missing-events-based-Lookup-list-of-values/m-p/535876#M151480 <P>Thanks&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;. It worked..</P><P>Only change i made was to rename the event field name (job_code) to match the lookup field name (jobCode)</P><P>&nbsp;</P><LI-CODE lang="markup">index=default source=jobfeed | stats count BY job_code | rename job_code as jobCode | append [ | inputlookup jobs.csv | eval count=0 | fields jobCode count ] | stats sum(count) AS total BY jobCode | where total=0</LI-CODE><P>&nbsp;</P><P>&nbsp;</P> Thu, 14 Jan 2021 17:02:34 GMT rangarbus 2021-01-14T17:02:34Z https://community.splunk.com/t5/Splunk-Search/Identify-missing-events-based-Lookup-list-of-values/m-p/535700#M151408 <P>Hey Team</P><P>I have events which contains a field "job_code".&nbsp;</P><P><EM>index=default source=jobfeed&nbsp;</EM></P><P>I have a lookup (jobs.csv) which has the list of allowed job codes.&nbsp;</P><TABLE border="1" width="100%"><TBODY><TR><TD width="50.12870012870013%" height="25px"><EM>jobCode</EM></TD><TD width="49.87129987129987%" height="25px"><EM>jobDesc</EM></TD></TR><TR><TD width="50.12870012870013%" height="25px"><EM>000</EM></TD><TD width="49.87129987129987%" height="25px"><EM>EX</EM></TD></TR><TR><TD width="50.12870012870013%" height="25px"><EM>001</EM></TD><TD width="49.87129987129987%" height="25px"><EM>PT</EM></TD></TR></TBODY></TABLE><P>&nbsp;</P><P>My requirement is to generate an alert every day,&nbsp;<SPAN>If any of the jobCode available in lookup didn't show up at all on the events for past 2 days.</SPAN></P><P>For instance,&nbsp; for past 2 days if splunk didn't receive event with job_code as 000 , then i need an alert.</P><P>I need this check for all the jobCode in the lookup table.</P><P>Can you please help me with a query for this?</P><P>Thank you</P> Wed, 13 Jan 2021 18:51:06 GMT https://community.splunk.com/t5/Splunk-Search/Identify-missing-events-based-Lookup-list-of-values/m-p/535700#M151408 rangarbus 2021-01-13T18:51:06Z https://community.splunk.com/t5/Splunk-Search/Identify-missing-events-based-Lookup-list-of-values/m-p/535791#M151445 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/226197">@rangarbus</a>,</P><P>it's the same solution to identify missing hosts, something like this:</P><P>&nbsp;</P><LI-CODE lang="markup">index=default source=jobfeed | stats count BY job_code | append [ | inputlookup jobs.csv | eval count=0 | fields job_code count ] | stats sum(count) AS total BY host | where total=0</LI-CODE><P>&nbsp;</P><P>You can define the scheduling and related timeperiod fo this alert (e.g. 24 h).</P><P>In few words: total=0 means that the zero value is from lookup and you haven't any log from the main search.</P><P>Ciao.</P><P>Giuseppe</P> Thu, 14 Jan 2021 09:08:49 GMT https://community.splunk.com/t5/Splunk-Search/Identify-missing-events-based-Lookup-list-of-values/m-p/535791#M151445 gcusello 2021-01-14T09:08:49Z https://community.splunk.com/t5/Splunk-Search/Identify-missing-events-based-Lookup-list-of-values/m-p/535876#M151480 <P>Thanks&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;. It worked..</P><P>Only change i made was to rename the event field name (job_code) to match the lookup field name (jobCode)</P><P>&nbsp;</P><LI-CODE lang="markup">index=default source=jobfeed | stats count BY job_code | rename job_code as jobCode | append [ | inputlookup jobs.csv | eval count=0 | fields jobCode count ] | stats sum(count) AS total BY jobCode | where total=0</LI-CODE><P>&nbsp;</P><P>&nbsp;</P> Thu, 14 Jan 2021 17:02:34 GMT https://community.splunk.com/t5/Splunk-Search/Identify-missing-events-based-Lookup-list-of-values/m-p/535876#M151480 rangarbus 2021-01-14T17:02:34Z https://community.splunk.com/t5/Splunk-Search/Identify-missing-events-based-Lookup-list-of-values/m-p/535882#M151481 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/226197">@rangarbus</a>,</P><P>I'm sorry with you becase I wasn't so explicit:</P><P>with the above search, using the condition "| where total=0" you take only the job_codes that are in the lookup but not in the search!</P><P>The solution is just to solve the problem that when a job_codes is missing it isn't in the main search result, for this reason you added the subsearch with the count=0:</P><P>total=0 means that you haven't results in the main search and the job_codes are missing.</P><P>Running the search without the condition "| where total=0", you have both the conditions:</P><UL><LI>if total&gt;0 you have events for that job_code</LI><LI>if total=0 you haven't events for that job_code</LI></UL><P>Ciao.</P><P>Giuseppe</P> Thu, 14 Jan 2021 17:06:19 GMT https://community.splunk.com/t5/Splunk-Search/Identify-missing-events-based-Lookup-list-of-values/m-p/535882#M151481 gcusello 2021-01-14T17:06:19Z https://community.splunk.com/t5/Splunk-Search/Identify-missing-events-based-Lookup-list-of-values/m-p/535955#M151505 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/226197">@rangarbus</a>,</P><P>good for you.</P><P>Ciao and happy splunking.</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Fri, 15 Jan 2021 07:11:25 GMT https://community.splunk.com/t5/Splunk-Search/Identify-missing-events-based-Lookup-list-of-values/m-p/535955#M151505 gcusello 2021-01-15T07:11:25Z