Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Files not show in the Results will need be show in the results with Status=pending

rchams
Explorer
‎09-11-2020 11:00 AM

index=XXXX sourcetype=XXXX ("filename1" OR "filename2" OR filename3) 

| rex "(?<status>passed) request\=\[\/\w+\/(?<to_DST_Filename>.*.txt)\.\w+\."
| rex "(?<status>orig) request\=\[(?<to_DST_Filename1>.*.txt)\.\w+\."
| eval to_DST_Filename = coalesce(to_DST_Filename,to_DST_Filename1)
| fields _time to_DST_Filename
| eval Staus_1 = if(substr(to_DST_Filename,3,4)="hold","Duplicate","Transferred")
| eval Status1 = if(like(to_DST_Filename,"%dup%"),"Duplicate","Transferred")
| eval Status = coalesce(Status_1,Status1)
| fields _time to_DST_Filename Status
| table _time to_DST_Filename Status
| rename _time as "Time_Sent_by_SI"
| convert ctime(Time_Sent_by_SI)
| dedup to_DST_Filename
| search to_DST_Filename!="" AND Status=Transferred

In the above search the three files "filename1" OR "filename2" OR "filename3" will not always have results. I'm looking for the results like, if any file is not shown in the results,

result will be show with file name and status=pending. 

Looking for Results like below:

Filename                                                Status

filename1                                             Transferred

filename2                                              Transferred

filename3                                                 Pending

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-11-2020 01:45 PM

Finding something that is not there is not Splunk's strong suit.  See this blog entry for a good write-up on it.

https://www.duanewaddle.com/proving-a-negative/

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

rchams
Explorer
‎09-11-2020 01:53 PM

@richgalloway  Thanks for the response but the link is not useful for my request.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-11-2020 05:48 PM

How is it not relevant?  The way I read the question, you have three possible values in your index and you want to display certain text when one of them is not found.  That seems exactly like what the link describes.  If I'm wrong then please clarify the question.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

rchams
Explorer
‎09-14-2020 06:05 AM

@richgalloway  The fillnull command changing null values to zero but i'm looking for different results.

If one of the file is missing in my results, the missing file show as with Status=Pending in the results.

For example:

the result i'm seeing is:

filename        status

filename1     Transferred

filename3      Transferred

 

In the result filename2 is no results

 

looking for result like below, if the filename2 has no results it should be show as Pending

 

Results looking like:

filename        status

filename1     Transferred

filename2      Pending

filename3      Transferred

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-14-2020 06:51 AM

The fillnull command can populate fields with values other than zero.  For example,

| fillnull value="Pending" status


Please share your current query.

---
If this reply helps you, Karma would be appreciated.
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...