topic Re: search for a string in field , if not there then trigger alert with remaining data in fields in Splunk Search https://community.splunk.com/t5/Splunk-Search/search-for-a-string-in-field-if-not-there-then-trigger-alert/m-p/568880#M198279 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/54377">@kirrusk</a>,</P><P>let me understand:</P><UL><LI>your need is a two phases check:<UL><LI>check if in Field2 there's the string "Successful",</LI><LI>then display the values of the Field2 field below "Successful"</LI></UL></LI></UL><P>Is this correct?</P><P>If this is your need, please try something like this:</P><LI-CODE lang="markup">index=your_index ield2=* | transaction startswith="Successful" | mvexpand field2 | search field2!="Successful" | table _time field2</LI-CODE><P>if the number of events after "Successful" is fixes (e.g. always 2), you could be more precise adding an option to the transaction command "maxevents=2".</P><P>Ciao.</P><P>Giuseppe</P> Wed, 29 Sep 2021 06:58:32 GMT gcusello 2021-09-29T06:58:32Z search for a string in field , if not there then trigger alert with remaining data in fields https://community.splunk.com/t5/Splunk-Search/search-for-a-string-in-field-if-not-there-then-trigger-alert/m-p/568879#M198278 <P>Hi,</P><P>I want to check for a string in the field, but if the string is not found in the field then need to print the remaining data. (last 15 mins data)<BR /><BR />for example,</P><P>Field1&nbsp; &nbsp; &nbsp; Field2&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<BR />9/2/10&nbsp; &nbsp;successful<BR />9/2/10&nbsp; &nbsp;creating the file<BR />9/2/10&nbsp; &nbsp;created<BR /><BR />from the above table, I want to check the Field2 for the last 15mins for string "successful", if no string is found in Field2 with "successful", Then need to trigger an alert with the remaining data like below.<BR /><BR /><BR />Field1&nbsp; &nbsp; &nbsp; Field2&nbsp;<BR />9/2/10&nbsp; &nbsp;creating the file<BR />9/2/10&nbsp; &nbsp;created<BR /><BR /></P><P>is this possbile in splunk.</P> Wed, 29 Sep 2021 06:40:39 GMT https://community.splunk.com/t5/Splunk-Search/search-for-a-string-in-field-if-not-there-then-trigger-alert/m-p/568879#M198278 kirrusk 2021-09-29T06:40:39Z Re: search for a string in field , if not there then trigger alert with remaining data in fields https://community.splunk.com/t5/Splunk-Search/search-for-a-string-in-field-if-not-there-then-trigger-alert/m-p/568880#M198279 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/54377">@kirrusk</a>,</P><P>let me understand:</P><UL><LI>your need is a two phases check:<UL><LI>check if in Field2 there's the string "Successful",</LI><LI>then display the values of the Field2 field below "Successful"</LI></UL></LI></UL><P>Is this correct?</P><P>If this is your need, please try something like this:</P><LI-CODE lang="markup">index=your_index ield2=* | transaction startswith="Successful" | mvexpand field2 | search field2!="Successful" | table _time field2</LI-CODE><P>if the number of events after "Successful" is fixes (e.g. always 2), you could be more precise adding an option to the transaction command "maxevents=2".</P><P>Ciao.</P><P>Giuseppe</P> Wed, 29 Sep 2021 06:58:32 GMT https://community.splunk.com/t5/Splunk-Search/search-for-a-string-in-field-if-not-there-then-trigger-alert/m-p/568880#M198279 gcusello 2021-09-29T06:58:32Z Re: search for a string in field , if not there then trigger alert with remaining data in fields https://community.splunk.com/t5/Splunk-Search/search-for-a-string-in-field-if-not-there-then-trigger-alert/m-p/568884#M198281 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;</P><P>@gcusello&nbsp;<BR />Thank you, but my intention is to trigger an alert with the remaining data in Field2.<BR />if there is no string("Successful") at all in&nbsp;Field2.</P><P>sample alert,</P><P>no log found for successful, Please find logs</P><P>Field1&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Field2<BR />9/2/10&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;creating the file<BR />9/2/10&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;created</P> Wed, 29 Sep 2021 07:30:04 GMT https://community.splunk.com/t5/Splunk-Search/search-for-a-string-in-field-if-not-there-then-trigger-alert/m-p/568884#M198281 kirrusk 2021-09-29T07:30:04Z Re: search for a string in field , if not there then trigger alert with remaining data in fields https://community.splunk.com/t5/Splunk-Search/search-for-a-string-in-field-if-not-there-then-trigger-alert/m-p/568886#M198282 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/54377">@kirrusk</a>,</P><P>ok, please try something like this:</P><LI-CODE lang="markup">index=your_index field2=* | eval check=if(field2="Successful","Yes","No") | stats values(EventCode) AS EventCode values(check) AS check dc(check) AS dc_check earliest(_time) AS _time | search dc_check=1 check=No | mvexpand field2 | table _time field2</LI-CODE><P>in this way, you check if in your logs there's the "Successful" string:</P><UL><LI>if present, there's no result in the search,</LI><LI>if not present, it displays all the field2 values.</LI></UL><P>Ciao.</P><P>Giuseppe</P> Wed, 29 Sep 2021 07:48:25 GMT https://community.splunk.com/t5/Splunk-Search/search-for-a-string-in-field-if-not-there-then-trigger-alert/m-p/568886#M198282 gcusello 2021-09-29T07:48:25Z Re: search for a string in field , if not there then trigger alert with remaining data in fields https://community.splunk.com/t5/Splunk-Search/search-for-a-string-in-field-if-not-there-then-trigger-alert/m-p/568898#M198284 <LI-CODE lang="markup">index=your_index Field2=* | eval check=if(Field2="Successful","Yes",null()) | eventstats values(check) AS check | where isnull(check)</LI-CODE> Wed, 29 Sep 2021 08:57:52 GMT https://community.splunk.com/t5/Splunk-Search/search-for-a-string-in-field-if-not-there-then-trigger-alert/m-p/568898#M198284 ITWhisperer 2021-09-29T08:57:52Z