Getting Data In

Help with search query


i have a list of string lets say  "abc" "bcd" "def" "efg" "fgh".

I want to search each of these string against a query for example :


index=xyz sourcetype=logs host=localhost
| table _time,  _raw

and i want to search it as - if this string occurs in the result-set within last 10 days then it should print "present" otherwise it should print "absent"

Labels (1)
0 Karma



if you have only small number of strings which you are looking, then you can try this

index=xyz sourcetype=logs host=localhost earliest=-10d@d
| rex "(?<foo1>string1)"
..... ```Add all strings here one by one```
| rex "(?<fooN>stringN)"
| stats values(foo*) as foo*
| fillnull value=NULL foo1 ... fooN ```here you must named all variables```
| foreach foo* 
    [eval present_<<FIELD>> = if ('<<FIELD>>' == "NULL", "absent", "present")]
| table foo* present*

r. Ismo 

Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...