I have created a search where unix process names are searched and display results on dashboard.
Is there a way where I can display results in terms of running or not running if certain process names are not found or found in the search?
You might want to provide a specific example as to what your expected results should look like. Do you want a table or a timechart or something else?
If you have a list of processes (I'm using a list of sourcetypes here) and you want to show which of them are running, try something like this:
| makeresults count=1 | fields - _time
| eval sourcetype="splunkd,audittrail,something,something_else" | makemv sourcetype delim="," | mvexpand sourcetype
| join type=left sourcetype [search index=_* | dedup sourcetype | table sourcetype | eval Status="ON"]
| fillnull value="OFF" Status
This gives me the following:
Status sourcetype
ON splunkd
ON audittrail
OFF something
OFF something_else
@bsaujla131984 Is your search meant for one server or for multiple servers?
And where do you get the list of "certain processes" from? Is there a predefined list of processes which you want to monitor?
I am the same guy bsaujla131984...logged with other ID.
Hi Whrg ,
I am trying as below:-
index=unix_app host="#####" Process1 OR Process1 OR Process2 OR Process3 COMMAND=java | dedup process | rex "(?Process1|Process2|Process3|)" | timechart count(process) by myField | stats max(*) AS * | Transpose
It shows up process on dashboard without any status like running or not.
In case if not running, then it simply does not show anything it all for that process.
Thanks,