Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Files not show in the Results will need be show in the results with Status=pending

rchams
Explorer
‎09-11-2020 11:00 AM

index=XXXX sourcetype=XXXX ("filename1" OR "filename2" OR filename3) 

| rex "(?<status>passed) request\=\[\/\w+\/(?<to_DST_Filename>.*.txt)\.\w+\."
| rex "(?<status>orig) request\=\[(?<to_DST_Filename1>.*.txt)\.\w+\."
| eval to_DST_Filename = coalesce(to_DST_Filename,to_DST_Filename1)
| fields _time to_DST_Filename
| eval Staus_1 = if(substr(to_DST_Filename,3,4)="hold","Duplicate","Transferred")
| eval Status1 = if(like(to_DST_Filename,"%dup%"),"Duplicate","Transferred")
| eval Status = coalesce(Status_1,Status1)
| fields _time to_DST_Filename Status
| table _time to_DST_Filename Status
| rename _time as "Time_Sent_by_SI"
| convert ctime(Time_Sent_by_SI)
| dedup to_DST_Filename
| search to_DST_Filename!="" AND Status=Transferred

In the above search the three files "filename1" OR "filename2" OR "filename3" will not always have results. I'm looking for the results like, if any file is not shown in the results,

result will be show with file name and status=pending. 

Looking for Results like below:

Filename                                                Status

filename1                                             Transferred

filename2                                              Transferred

filename3                                                 Pending

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-11-2020 01:45 PM

Finding something that is not there is not Splunk's strong suit.  See this blog entry for a good write-up on it.

https://www.duanewaddle.com/proving-a-negative/

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

rchams
Explorer
‎09-11-2020 01:53 PM

@richgalloway  Thanks for the response but the link is not useful for my request.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-11-2020 05:48 PM

How is it not relevant?  The way I read the question, you have three possible values in your index and you want to display certain text when one of them is not found.  That seems exactly like what the link describes.  If I'm wrong then please clarify the question.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

rchams
Explorer
‎09-14-2020 06:05 AM

@richgalloway  The fillnull command changing null values to zero but i'm looking for different results.

If one of the file is missing in my results, the missing file show as with Status=Pending in the results.

For example:

the result i'm seeing is:

filename        status

filename1     Transferred

filename3      Transferred

 

In the result filename2 is no results

 

looking for result like below, if the filename2 has no results it should be show as Pending

 

Results looking like:

filename        status

filename1     Transferred

filename2      Pending

filename3      Transferred

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-14-2020 06:51 AM

The fillnull command can populate fields with values other than zero.  For example,

| fillnull value="Pending" status


Please share your current query.

---
If this reply helps you, Karma would be appreciated.
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...