topic Re: Real time search, how to check if event doesn't exist and return something if it doesn't. in Splunk Search

Real time search, how to check if event doesn't exist and return something if it doesn't.

DavidHourani — Tue, 24 Feb 2015 13:47:01 GMT

Hello,

I have some logs arriving into splunk every 5 minutes from a script running on an application server. The final line of logs indicates whether the script is complete or not. and looks something like this:

END :DATA COLLECTED ON 24 February 2015 at 14:41:23

I would like to check with real time if this line is there or not and if it isn't I would like to return a specific value indicating that the line is not there.

Is this possible via an Eval command ?

Regards,
David

Re: Real time search, how to check if event doesn't exist and return something if it doesn't.

markthompson — Tue, 24 Feb 2015 13:56:13 GMT

This is easy enough.

If you use an eval if statement with a regex that uses match, in the form of :

eval IsPresent=if(match(_raw,"REGEX"), IfPresent, IfNotPresent)

That should work for you, but you'll need to put a regex in.

Re: Real time search, how to check if event doesn't exist and return something if it doesn't.

DavidHourani — Tue, 24 Feb 2015 14:04:30 GMT

Thank you Mark!

This works in some cases but if there is no results displayed in the search the eval does not add an extra field. I found the answer on how to solve it here :

http://answers.splunk.com/answers/50379/table-message-when-no-results-found.html

Re: Real time search, how to check if event doesn't exist and return something if it doesn't.

markthompson — Tue, 24 Feb 2015 14:09:21 GMT

No Problem, glad it helped, as a matter of fact I was just reading that thread!

It works on a similar concept, if it can't find it then you could set the msg field where it says IfNotPresent.

Alternatively you could set IfPresent to "Complete" or "Not Completed" and table it, which would then produce a similar result.

All in all, a good result 🙂