Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Count string value over 7 days
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I need to display the LastBackupStatus of all servers over the last 7 days. (The values of this field are only Success or Failure)
index=netbackup source=otl_nb_allpolicies client=*nas*
| dedup client
| rex field=client "^(?<machine>[^\.]+)\.?.*"
| eval machine=lower(machine)
| dedup machine, LastBackupStatus
| table machine ]
| fillnull value="NoBackUp", LastBackupStatus
I require a field called "IsBackedUp" added which determines if the server is backed up, based on the last 7 days. If the LastBackupStatus has not been successful in the last 7 days then "IsBackedUp" should be No otherwise set to Yes.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this assuming that machine is extracted properly!
index=netbackup source=otl_nb_allpolicies client=*nas* earliest=-7d@h latest=now
| rex field=client "^(?<machine>[^\.]+)\.?.*"
| eval machine=lower(machine)
| eval IsBackedUp=if(LastBackupStatus="Success","Yes","No")
| stats values(IsBackedUp) as "Is Backed Up?" by machine
Let me know if this helps you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this assuming that machine is extracted properly!
index=netbackup source=otl_nb_allpolicies client=*nas* earliest=-7d@h latest=now
| rex field=client "^(?<machine>[^\.]+)\.?.*"
| eval machine=lower(machine)
| eval IsBackedUp=if(LastBackupStatus="Success","Yes","No")
| stats values(IsBackedUp) as "Is Backed Up?" by machine
Let me know if this helps you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you can use stats here. Something like this (untested)
index=netbackup source=otl_nb_allpolicies client=*nas*
| eval machine = lower(mvindex(split(client,"."),0))
| stats values(LastBackupStatus) as LastBackupStatus by machine
| eval IsBackUp = if(match(LastBackupStatus,"Success"),true,false)
Not sure if meant that every backup had to be successful or just one, but the search above assumes the latter. If the former, then you an change the logic to match Failure, false, true.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I believe there is an additional square bracket in 2nd last line.
If you just want to add a new field IsBackedUp based on LastBackupStatus field value, you can just add following to your current search
your current search | eval IsBackedUp=if(LastBackupStatus="Success","Yes","No")
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
