Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

I am trying to run a search and alert for specific field that has a count of 0 for a 24 hour period.

babcolee
Path Finder
‎06-01-2017 07:50 AM

The field abc will list servers multiple times in the realtime log file. I created a inputlookup file (abc_servers.csv) and search to compare what is in the log file to the inputlookup. The inputlookup abc_sources.csv I created has 43 entries. However, when I run the following search I may see a stats count for 41 abc and does not list the other 2 missing with a value of 0 and thus not alert me of the 0 count. I also created an outputlookup (tmp_abc.csv) to give a base line but I am not sure how to compare it to the inputlookup to determine
if there is a 0 count

sourcetype="mysourcetype:" abc= | search [inputlookup abc_servers.csv] | stats count by abc | fillnull value=0

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎06-01-2017 07:58 AM

Here's one way... 

sourcetype="mysourcetype:" abc= | stats count as reccount by abc | append 
[| inputlookup abc_servers.csv | table abc | eval reccount = 0] 
| eventstats sum(reccount) as totcount by abc
| where totcount == 0

Here's another...

| inputlookup abc_servers.csv | table abc 
| join type=left [search sourcetype="mysourcetype:" abc= | stats count as reccount by abc ]
| where isnull(reccount)

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎06-01-2017 07:58 AM

Here's one way... 

sourcetype="mysourcetype:" abc= | stats count as reccount by abc | append 
[| inputlookup abc_servers.csv | table abc | eval reccount = 0] 
| eventstats sum(reccount) as totcount by abc
| where totcount == 0

Here's another...

| inputlookup abc_servers.csv | table abc 
| join type=left [search sourcetype="mysourcetype:" abc= | stats count as reccount by abc ]
| where isnull(reccount)
0 Karma
Reply
Solved! Jump to solution

babcolee
Path Finder
‎06-01-2017 09:06 AM

Thank you for your help that is what I needed

Reply
Solved! Jump to solution

micahkemp
Champion
‎06-01-2017 07:55 AM

Try something like:

<base search> | dedup abc | append [inputlookup abclookup] | stats count BY abc | search count=1

Where abclookup has just one column:

abc
abcvalue1
abcvalue2

Edited as per correction below.

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎06-01-2017 08:02 AM

count is never going to be 0 in that scenario, since there is always a record from the csv involved. The only thing you have to change is | search count=1, since the count will be 2 if the base search returns a record and the csv adds one.

By the way, dedup is a great idea for reducing the overhead.

0 Karma
Reply
Solved! Jump to solution

micahkemp
Champion
‎06-01-2017 08:05 AM

Oops, good catch!

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...