topic Re: return events that not match in Splunk Search

return events that not match

indeed_2000 — Sun, 31 Oct 2021 06:04:07 GMT

Hi
I have field that call "servername" that return this:
...| table servername
server1
server2
server3

need spl that when I give list of my servername, return which servername not exist

expected output:
...|search server1 OR server2 OR server3 OR server4 | table servername status

servername status
server4 X

any idea?

Thanks

Re: return events that not match

ITWhisperer — Sun, 31 Oct 2021 08:34:27 GMT

This is a classic case of wanting splunk to make stuff up!

If the event doesn't exist, how does splunk know what to return?

Answer, you need to tell it!

This is often done by getting the events from another source, either a lookup file e.g. csv file/store or a different search e.g. over a different time period, then combining this with the original search and looking for events which occur in one search and not in the other.

Re: return events that not match

PickleRick — Sun, 31 Oct 2021 08:47:53 GMT

Splunk on its own only passes returned data past the pipe. It has no idea what the search was. So it doesn't matter if you were searching for just 3 hosts or for 4 and one just wasn't there. You simply get your resulting events.

So if you want to have stats for non-existing entities (servername in your case) you have to prepare "baseline" values append them to original results and combine them together

<your search> 
| append
 [ | inputlookup baseline.csv ]
| stats values(status) by servername
| eval status=if(mvcount(status)=1,status,mvfilter(status!="X"))

Re: return events that not match

indeed_2000 — Sun, 31 Oct 2021 13:57:07 GMT

is it possibe do this without csv file?

Re: return events that not match

indeed_2000 — Sun, 31 Oct 2021 13:58:03 GMT

is it possible to do this without csv file?

Re: return events that not match

ITWhisperer — Sun, 31 Oct 2021 15:02:30 GMT

Yes, as I suggested, a different search might be used to return all the server names, assuming you have the events indexed, or you could use makeresults to generate a set of events with the server names you are looking for.

Re: return events that not match

PickleRick — Sun, 31 Oct 2021 16:55:14 GMT

Sure. You can use search through earlier events (question is - do you have all servers there), you can craft them by hand (not very convenient if the number of servers grow). It's just that lookup is easiest to use.