Splunk Dev
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Dynamic table with missing event

c_prateesh
New Member
‎03-15-2018 05:30 AM

Hi

I am building a table with some metrics on the http access to different services reported in the apache WAF logs.
I use the field extraction to build the table dynamically and display the number of hits to each service.

index=apache-access | eval destination=split(...) | table count by destination

If there is no traffic on a specific destination, it does not appear in the table. However i would like to show count 0 to initiate a warning that there is no traffic. I do not want to do a targeted search on each service as it could generate 100s of searches.

How can i achieve the above with a static column to declare the expected services and then have dynamic count in the second column linked to those services

Prateesh

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎03-15-2018 06:51 AM

Presumably, you have a pre-defined list of services that you'd expect to see in the table (or else you wouldn't notice they were missing). I'd recommend collecting those in a single-column csv file - perhaps apache_services.csv - with a field header of destination (to match your query structure above) and create a lookup from this file in Splunk. Then you can do this:

index=apache-access 
| eval destination=split(...) 
| stats count by destination
| append 
 [| inputlookup apache_services.csv
  | eval count=0 ]
| stats max(count) AS count BY destination

This will allow you to first count the number of hits per destination in the log file, then append the list of possible services from the lookup file, with a presumed count of 0. The final stats call will pick up the higher count value if it was found in the logs.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎03-15-2018 06:51 AM

Presumably, you have a pre-defined list of services that you'd expect to see in the table (or else you wouldn't notice they were missing). I'd recommend collecting those in a single-column csv file - perhaps apache_services.csv - with a field header of destination (to match your query structure above) and create a lookup from this file in Splunk. Then you can do this:

index=apache-access 
| eval destination=split(...) 
| stats count by destination
| append 
 [| inputlookup apache_services.csv
  | eval count=0 ]
| stats max(count) AS count BY destination

This will allow you to first count the number of hits per destination in the log file, then append the list of possible services from the lookup file, with a presumed count of 0. The final stats call will pick up the higher count value if it was found in the logs.

0 Karma
Reply
Solved! Jump to solution

c_prateesh
New Member
‎03-15-2018 07:25 AM

Thanks a lot. It works well.

0 Karma
Reply
Solved! Jump to solution

p_gurav
Champion
‎03-15-2018 06:03 AM

Can you provide sample data ? When you write | stats count by destination , are you getting missing events?

0 Karma
Reply
Solved! Jump to solution

c_prateesh
New Member
‎03-15-2018 06:55 AM

Lets assume i have 3 services serviceA, serviceB, serviceC

In my logs i have (Note: i have no logs for serviceC during the timeframe i selected.
uri=/serviceA/xyz/..
uri=/serviceA/def/..
uri=/serviceB/abc/..

so when i search and parse i get the following result
serviceA : 2
serviceB : 1

What i want is
serviceA : 2
serviceB : 1
serviceC : 0

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...