Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

I am trying to run a search and alert for specific field that has a count of 0 for a 24 hour period.

babcolee
Path Finder
‎06-01-2017 07:50 AM

The field abc will list servers multiple times in the realtime log file. I created a inputlookup file (abc_servers.csv) and search to compare what is in the log file to the inputlookup. The inputlookup abc_sources.csv I created has 43 entries. However, when I run the following search I may see a stats count for 41 abc and does not list the other 2 missing with a value of 0 and thus not alert me of the 0 count. I also created an outputlookup (tmp_abc.csv) to give a base line but I am not sure how to compare it to the inputlookup to determine
if there is a 0 count

sourcetype="mysourcetype:" abc= | search [inputlookup abc_servers.csv] | stats count by abc | fillnull value=0

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎06-01-2017 07:58 AM

Here's one way... 

sourcetype="mysourcetype:" abc= | stats count as reccount by abc | append 
[| inputlookup abc_servers.csv | table abc | eval reccount = 0] 
| eventstats sum(reccount) as totcount by abc
| where totcount == 0

Here's another...

| inputlookup abc_servers.csv | table abc 
| join type=left [search sourcetype="mysourcetype:" abc= | stats count as reccount by abc ]
| where isnull(reccount)

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎06-01-2017 07:58 AM

Here's one way... 

sourcetype="mysourcetype:" abc= | stats count as reccount by abc | append 
[| inputlookup abc_servers.csv | table abc | eval reccount = 0] 
| eventstats sum(reccount) as totcount by abc
| where totcount == 0

Here's another...

| inputlookup abc_servers.csv | table abc 
| join type=left [search sourcetype="mysourcetype:" abc= | stats count as reccount by abc ]
| where isnull(reccount)
0 Karma
Reply
Solved! Jump to solution

babcolee
Path Finder
‎06-01-2017 09:06 AM

Thank you for your help that is what I needed

Reply
Solved! Jump to solution

micahkemp
Champion
‎06-01-2017 07:55 AM

Try something like:

<base search> | dedup abc | append [inputlookup abclookup] | stats count BY abc | search count=1

Where abclookup has just one column:

abc
abcvalue1
abcvalue2

Edited as per correction below.

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎06-01-2017 08:02 AM

count is never going to be 0 in that scenario, since there is always a record from the csv involved. The only thing you have to change is | search count=1, since the count will be 2 if the base search returns a record and the csv adds one.

By the way, dedup is a great idea for reducing the overhead.

0 Karma
Reply
Solved! Jump to solution

micahkemp
Champion
‎06-01-2017 08:05 AM

Oops, good catch!

Reply
Get Updates on the Splunk Community!

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

  Ready to master Kubernetes and cloud monitoring like the pros?Join Splunk’s Growth Engineering team for an ...

Wrapping Up Cybersecurity Awareness Month

October might be wrapping up, but for Splunk Education, cybersecurity awareness never goes out of season. ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

&#x1f5e3; You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...