topic Re: How to find missing values from a search events compared to a list - (either a lookup file or a declared values) in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-to-find-missing-values-from-a-search-events-compared-to-a/m-p/310588#M93157 <P>@hulgundi, if this worked for you, please click <CODE>Accept</CODE> to close the question and help others find valid solutions more easily.</P> Thu, 28 Jun 2018 16:13:37 GMT woodcock 2018-06-28T16:13:37Z How to find missing values from a search events compared to a list - (either a lookup file or a declared values) https://community.splunk.com/t5/Splunk-Search/How-to-find-missing-values-from-a-search-events-compared-to-a/m-p/310586#M93155 <P>I need to find the missing list of process from a list of hosts and setup an alert</P> <P>There will be number of process ~ 16 process to be monitored on number of hosts.</P> <P>I need some help in evaluating which process is missing<BR /> I can take lookup file approach but would like to do a search and eval with out using a lookup.</P> <P>I tried this way </P> <PRE><CODE>earliest=-10m@m (index=os* OR index=matrix_os) source=ps host=abc* |rex field=COMMAND "somename\/(?[^\/]*)/httpd/sbin/httpd" |stats count by inst host |eval mylist="inst0,inst1,test1,test2" |eval procname=split(mylist,",")|mvexpand procname|eval is_running=if(match(procname, inst),1,0)|table is_running host inst count procname </CODE></PRE> <P>This lists out all matching and non matching . I want to just list out where procname=test1 on host which is not found.</P> Wed, 30 Aug 2017 19:26:30 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-missing-values-from-a-search-events-compared-to-a/m-p/310586#M93155 hulgundi 2017-08-30T19:26:30Z Re: How to find missing values from a search events compared to a list - (either a lookup file or a declared values) https://community.splunk.com/t5/Splunk-Search/How-to-find-missing-values-from-a-search-events-compared-to-a/m-p/310587#M93156 <P>Do it like this (will need adjustment; this is run-anywhere):</P> <PRE><CODE>index=_* | append [| makeresults | fields - _time | rename COMMENT1of2 AS "All real events will have a 'host' value, but these 'sentinel' events will not" | rename COMMENT2of2 AS "This section would best be done as a 'lookup' using '|inputlookup append=t' instead of '|makeresults'." | eval sourcetype="audittrail kvstore mongod scheduler splunk_disk_objects splunk_python splunk_resource_usage splunk_web_access splunk_web_service splunkd splunkd_access splunkd_ui_access ta_snow ta_snow_util this_will_never_have_data" | makemv sourcetype] | stats count(host) AS count BY sourcetype | eval is_running=if((count&gt;0), 1, 0) </CODE></PRE> Wed, 30 Aug 2017 22:56:04 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-missing-values-from-a-search-events-compared-to-a/m-p/310587#M93156 woodcock 2017-08-30T22:56:04Z Re: How to find missing values from a search events compared to a list - (either a lookup file or a declared values) https://community.splunk.com/t5/Splunk-Search/How-to-find-missing-values-from-a-search-events-compared-to-a/m-p/310588#M93157 <P>@hulgundi, if this worked for you, please click <CODE>Accept</CODE> to close the question and help others find valid solutions more easily.</P> Thu, 28 Jun 2018 16:13:37 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-missing-values-from-a-search-events-compared-to-a/m-p/310588#M93157 woodcock 2018-06-28T16:13:37Z