https://community.splunk.com/t5/Splunk-Search/Verify-a-list-of-values/m-p/352003#M175165 <P>Hello everybody (皆おはようございます)<BR /> I have a new request for all members <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span><BR /> This search : <BR /> sourcetype=sccm |streamstats count current=t reset_on_change=true by date_wday,date_month,date_hour,date_minute,date_second, Service_Status | table count, Service_Status,Service_Name </P> <P>Result :<BR /> count Service_Status Service_Name<BR /> 1 Found service XDSnscls<BR /> 2 Found service XDSsnaptunnel<BR /> 3 Found service XDSclm<BR /> 4 Found service XDSsdsd<BR /> 5 Found service XDSsccm<BR /> 6 Found service XDSsccmms<BR /> 7 Found service XDSdss<BR /> 8 Found service XDSauth</P> <P>This is the same pattern every time and I wish to create an alert. <BR /> For example : <BR /> Verify the list of Service_Name and if one of them isn't in the list, I have an alert.</P> <P>Thanks for your help.<BR /> Best regards<BR /> Laurent </P> Tue, 29 Sep 2020 13:12:37 GMT LNebout 2020-09-29T13:12:37Z https://community.splunk.com/t5/Splunk-Search/Verify-a-list-of-values/m-p/352003#M175165 <P>Hello everybody (皆おはようございます)<BR /> I have a new request for all members <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span><BR /> This search : <BR /> sourcetype=sccm |streamstats count current=t reset_on_change=true by date_wday,date_month,date_hour,date_minute,date_second, Service_Status | table count, Service_Status,Service_Name </P> <P>Result :<BR /> count Service_Status Service_Name<BR /> 1 Found service XDSnscls<BR /> 2 Found service XDSsnaptunnel<BR /> 3 Found service XDSclm<BR /> 4 Found service XDSsdsd<BR /> 5 Found service XDSsccm<BR /> 6 Found service XDSsccmms<BR /> 7 Found service XDSdss<BR /> 8 Found service XDSauth</P> <P>This is the same pattern every time and I wish to create an alert. <BR /> For example : <BR /> Verify the list of Service_Name and if one of them isn't in the list, I have an alert.</P> <P>Thanks for your help.<BR /> Best regards<BR /> Laurent </P> Tue, 29 Sep 2020 13:12:37 GMT https://community.splunk.com/t5/Splunk-Search/Verify-a-list-of-values/m-p/352003#M175165 LNebout 2020-09-29T13:12:37Z https://community.splunk.com/t5/Splunk-Search/Verify-a-list-of-values/m-p/352004#M175166 <P>My solution would be:<BR /> 1. Create a lookup file with the services that you expect. Two columns; service_name and status. Status is a dummy field.<BR /> 2. Create a search which starts with | inputlookup and join that with your search so if your search doesn't return a result you miss a field from that search. Finish the search with | search NOT certainField = *<BR /> 3. Create an alert based on that search which results in all events from the lookup for which no data was found in the index.</P> Mon, 13 Mar 2017 11:57:53 GMT https://community.splunk.com/t5/Splunk-Search/Verify-a-list-of-values/m-p/352004#M175166 cmeerbeek 2017-03-13T11:57:53Z https://community.splunk.com/t5/Splunk-Search/Verify-a-list-of-values/m-p/352005#M175167 <P>cmeerbeek,<BR /> Thanks for your solution.<BR /> That works good. I hope our partners will not change the number of services or there name.<BR /> Best regards,<BR /> laurent</P> Wed, 15 Mar 2017 00:38:01 GMT https://community.splunk.com/t5/Splunk-Search/Verify-a-list-of-values/m-p/352005#M175167 LNebout 2017-03-15T00:38:01Z