https://community.splunk.com/t5/Splunk-Search/find-NOCLOSESESSION-in-logs-daily/m-p/570786#M198909 <P>Hi<BR />I have two field on my logfile &lt;servername&gt; &lt;CLOSESESSION&gt; need to know when CLOSESESSION is 0 each day by servername.<BR />everyday I expect CLOSESESSION appear on my server logs, if one or more server has no CLOSESESSION it means something going wrong.</P><P>here is the spl:<BR />index="my_index"<BR />| rex field=source "(?&lt;servername&gt;\w+)."<BR />| rex "CLOSESESSION\:\s+(?&lt;CLOSESESSION&gt;\w+)"</P><P>| table _time servername CLOSESESSION</P><P>&nbsp;</P><P>Expected output:</P><P>Servername&nbsp; &nbsp; &nbsp;cause</P><P>Server10&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;NOCLOSESESSION</P><P>Server15&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; NOCLOSESESSION</P><P>&nbsp;</P><P>any idea?</P><P>Thanks,</P> Wed, 13 Oct 2021 14:04:29 GMT indeed_2000 2021-10-13T14:04:29Z https://community.splunk.com/t5/Splunk-Search/find-NOCLOSESESSION-in-logs-daily/m-p/570786#M198909 <P>Hi<BR />I have two field on my logfile &lt;servername&gt; &lt;CLOSESESSION&gt; need to know when CLOSESESSION is 0 each day by servername.<BR />everyday I expect CLOSESESSION appear on my server logs, if one or more server has no CLOSESESSION it means something going wrong.</P><P>here is the spl:<BR />index="my_index"<BR />| rex field=source "(?&lt;servername&gt;\w+)."<BR />| rex "CLOSESESSION\:\s+(?&lt;CLOSESESSION&gt;\w+)"</P><P>| table _time servername CLOSESESSION</P><P>&nbsp;</P><P>Expected output:</P><P>Servername&nbsp; &nbsp; &nbsp;cause</P><P>Server10&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;NOCLOSESESSION</P><P>Server15&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; NOCLOSESESSION</P><P>&nbsp;</P><P>any idea?</P><P>Thanks,</P> Wed, 13 Oct 2021 14:04:29 GMT https://community.splunk.com/t5/Splunk-Search/find-NOCLOSESESSION-in-logs-daily/m-p/570786#M198909 indeed_2000 2021-10-13T14:04:29Z https://community.splunk.com/t5/Splunk-Search/find-NOCLOSESESSION-in-logs-daily/m-p/570788#M198910 <P>Try this</P><LI-CODE lang="markup">index="my_index" | rex field=source "(?&lt;servername&gt;\w+)." | rex "CLOSESESSION\:\s+(?&lt;CLOSESESSION&gt;\w+)" | stats dc(CLOSESESSION) as CLOSESESSIONs by servername | where CLOSESESSIONs=0</LI-CODE> Wed, 13 Oct 2021 14:46:17 GMT https://community.splunk.com/t5/Splunk-Search/find-NOCLOSESESSION-in-logs-daily/m-p/570788#M198910 somesoni2 2021-10-13T14:46:17Z https://community.splunk.com/t5/Splunk-Search/find-NOCLOSESESSION-in-logs-daily/m-p/570789#M198911 <P>Would something like this work for you?</P><LI-CODE lang="markup">index="my_index" | rex field=source "(?&lt;servername&gt;\w+)." | rex "CLOSESESSION\:\s+(?&lt;CLOSESESSION&gt;\w+)" | fillnull value="NOCLOSESESSION" CLOSESESSION | bin _time span=1d | stats values(CLOSESESSION) as CLOSESESSION by _time servername | eval CLOSESESSION=mvjoin(CLOSESESSION,"") | where CLOSESESSION="NOCLOSESESSION"</LI-CODE> Wed, 13 Oct 2021 14:49:35 GMT https://community.splunk.com/t5/Splunk-Search/find-NOCLOSESESSION-in-logs-daily/m-p/570789#M198911 ITWhisperer 2021-10-13T14:49:35Z https://community.splunk.com/t5/Splunk-Search/find-NOCLOSESESSION-in-logs-daily/m-p/570796#M198914 <P>not work, here is the log:</P><P>23:54:00.957 app server 1 module: CLOSESESSION</P><P>23:54:00.958 app server 3 module: CLOSESESSION</P><P>23:54:00.959 app server 4 module: CLOSESESSION</P><P>&nbsp;</P><P>Expected output:</P><P>Servername&nbsp; &nbsp; &nbsp;cause</P><P>Server2&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;NOCLOSESESSION</P> Wed, 13 Oct 2021 15:41:11 GMT https://community.splunk.com/t5/Splunk-Search/find-NOCLOSESESSION-in-logs-daily/m-p/570796#M198914 indeed_2000 2021-10-13T15:41:11Z https://community.splunk.com/t5/Splunk-Search/find-NOCLOSESESSION-in-logs-daily/m-p/570798#M198915 <P>not work, here is the log:</P><P>23:54:00.957 app server 1 module: CLOSESESSION</P><P>23:54:00.958 app server 3 module: CLOSESESSION</P><P>23:54:00.959 app server 4 module: CLOSESESSION</P><P>&nbsp;</P><P>Expected output:</P><P>Servername&nbsp; &nbsp; &nbsp;cause</P><P>Server2&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;NOCLOSESESSION</P> Wed, 13 Oct 2021 15:42:16 GMT https://community.splunk.com/t5/Splunk-Search/find-NOCLOSESESSION-in-logs-daily/m-p/570798#M198915 indeed_2000 2021-10-13T15:42:16Z https://community.splunk.com/t5/Splunk-Search/find-NOCLOSESESSION-in-logs-daily/m-p/570800#M198916 <P>If those are your logs, the issue may be with the rex - try something like this</P><LI-CODE lang="markup">| rex "\:\s+(?&lt;CLOSESESSION&gt;CLOSESESSION)"</LI-CODE> Wed, 13 Oct 2021 15:48:20 GMT https://community.splunk.com/t5/Splunk-Search/find-NOCLOSESESSION-in-logs-daily/m-p/570800#M198916 ITWhisperer 2021-10-13T15:48:20Z https://community.splunk.com/t5/Splunk-Search/find-NOCLOSESESSION-in-logs-daily/m-p/570828#M198927 <P>still have issue, i think need two search here, first extract all server names from file name that exist in path from metadata for faster result, then in second query check which one has not&nbsp;CLOSESESSION</P><P>&nbsp;</P><P>somthing like this:</P><P>1- list of all log files exist (per server)<BR />| metadata type=sources index=my_index | table source</P><P>2-filter just lines have&nbsp;CLOSESESSION<BR />index="my_index" |<FONT color="#FF0000"> search CLOSESESSION</FONT><BR /><FONT color="#993366"><STRONG>| rex extracted server names of field "source" from STEP 1</STRONG></FONT><BR />| rex "\:\s+(?&lt;CLOSESESSION&gt;CLOSESESSION)" |<BR />| fillnull value="NOCLOSESESSION" CLOSESESSION<BR />| bin _time span=1d<BR />| stats values(CLOSESESSION) as CLOSESESSION by _time servername<BR />| eval CLOSESESSION=mvjoin(CLOSESESSION,"")<BR />| where CLOSESESSION="NOCLOSESESSION"</P><P>&nbsp;</P><P>here is the logs:</P><P>23:54:00.957 app server 1 module: CLOSESESSION</P><P>23:54:00.958 app server 3 module: CLOSESESSION</P><P>23:54:00.959 app server 4 module: CLOSESESSION</P><P>&nbsp;</P><P>Expected output step 1:</P><P>servernames</P><P>server 1</P><P>server 2</P><P>server 3</P><P>server 4</P><P>&nbsp;</P><P>Expected output step 2:</P><P>Servername&nbsp; &nbsp; &nbsp;cause</P><P>Server2&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;NOCLOSESESSION</P> Wed, 13 Oct 2021 17:46:26 GMT https://community.splunk.com/t5/Splunk-Search/find-NOCLOSESESSION-in-logs-daily/m-p/570828#M198927 indeed_2000 2021-10-13T17:46:26Z https://community.splunk.com/t5/Splunk-Search/find-NOCLOSESESSION-in-logs-daily/m-p/570840#M198933 <P>You would basically need a lookup table file with all your server names (say lookup table file name will be&nbsp; servers.csv with column servername) . Once you've this setup, you can run something like this</P><LI-CODE lang="markup">index="my_index" | rex field=source "(?&lt;servername&gt;\w+)." | rex "CLOSESESSION\:\s+(?&lt;CLOSESESSION&gt;\w+)" | stats dc(CLOSESESSION) as CLOSESESSIONs by servername | append [| inputlookup servers.csv | table servername | eval CLOSESESSIONs=0] | stats max(CLOSESESSIONs) as CLOSESESSIONs by servername | where CLOSESESSIONs=0 </LI-CODE><P>&nbsp;</P><P>&nbsp;</P> Wed, 13 Oct 2021 18:39:39 GMT https://community.splunk.com/t5/Splunk-Search/find-NOCLOSESESSION-in-logs-daily/m-p/570840#M198933 somesoni2 2021-10-13T18:39:39Z https://community.splunk.com/t5/Splunk-Search/find-NOCLOSESESSION-in-logs-daily/m-p/570865#M198944 <P>is it possible without csv file?</P> Wed, 13 Oct 2021 21:59:48 GMT https://community.splunk.com/t5/Splunk-Search/find-NOCLOSESESSION-in-logs-daily/m-p/570865#M198944 indeed_2000 2021-10-13T21:59:48Z https://community.splunk.com/t5/Splunk-Search/find-NOCLOSESESSION-in-logs-daily/m-p/571074#M198996 <P>after several try find solution</P><P>| metadata type=hosts index=my_index<BR />| eval count=0<BR />| table host count<BR />| append<BR />[ search index=my_index CLOSESESSION<BR />| stats count by host ]<BR />| stats sum(count) as number by host | where number=0</P> Fri, 15 Oct 2021 09:25:53 GMT https://community.splunk.com/t5/Splunk-Search/find-NOCLOSESESSION-in-logs-daily/m-p/571074#M198996 indeed_2000 2021-10-15T09:25:53Z