Include 'Missing Events' In Search Results

paddy3883 · ‎11-28-2012

I've a CSV file which contains two values per row, 'Filter' and 'Timing'. Essentially the Filter will specify a value to search across a series of events either a field value or text in message etc. The Timing value is used in another query. What I'm after is a search query that executes this lookup file against the events and returns a count of matches for each, and more importantly, returns those for which no events where found. My current query (which does not return those with no events) is:

| inputlookup my_lookup | eval Filter=$Filter$ | map [search source=MySource $Filter$] | stats count by EventName

So for a CSV like this:

Filter,Timing

Text found in Event A messages, 100

Text found in Event B messages, 400

Text found in Event C messages, 300

which returns something like:

EventName | Count

EventA | 250

EventB | 175

when there are matches for the first two rows but none for the second. Ideally what I'd like is:

Can anyone point me in the right direction?

yannK · ‎11-28-2012

try a combination of fillnull
http://docs.splunk.com/Documentation/Splunk/5.0.1/SearchReference/Fillnull

| fillnull value="missing"

and an outer join instead of the lookup
see http://docs.splunk.com/Documentation/Splunk/5.0.1/SearchReference/Join

searchA | join type=outer Eventname [search searchB]

Include 'Missing Events' In Search Results

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join the Conversation

Include 'Missing Events' In Search Results

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk