Verify a list of values

Path Finder

Hello everybody (皆おはようございます)
I have a new request for all members 🙂
This search :
sourcetype=sccm |streamstats count current=t resetonchange=true by datewday,datemonth,datehour,dateminute,datesecond, ServiceStatus | table count, ServiceStatus,ServiceName

Result :
count ServiceStatus ServiceName
1 Found service XDSnscls
2 Found service XDSsnaptunnel
3 Found service XDSclm
4 Found service XDSsdsd
5 Found service XDSsccm
6 Found service XDSsccmms
7 Found service XDSdss
8 Found service XDSauth

This is the same pattern every time and I wish to create an alert.
For example :
Verify the list of Service_Name and if one of them isn't in the list, I have an alert.

Thanks for your help.
Best regards

Tags (1)
0 Karma

Re: Verify a list of values

Path Finder

My solution would be:
1. Create a lookup file with the services that you expect. Two columns; service_name and status. Status is a dummy field.
2. Create a search which starts with | inputlookup and join that with your search so if your search doesn't return a result you miss a field from that search. Finish the search with | search NOT certainField = *
3. Create an alert based on that search which results in all events from the lookup for which no data was found in the index.

View solution in original post


Re: Verify a list of values

Path Finder

Thanks for your solution.
That works good. I hope our partners will not change the number of services or there name.
Best regards,

0 Karma