Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do I check if a field contains text and return...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I check if a field contains text and return the "source" if it doesn't?
griffinpair
Path Finder
07-31-2017
01:56 PM
My current search (below) returns 3 results that has a field called "import_File" that contains either the text "Account", "Owner", or "Member" in the file path. If there is an instance where the search does not contain a file path containing either the text "Account", "Owner", or "Member", I want to return the "source" so I can go in and check it out.
Search:
source=*D:\\filePath\\filePath* source=*filePath\\filePath.log* Moved
| eval todayBuffer=strftime(now(), "%m_%d_%Y") | eval today=ltrim(tostring(todayBuffer),"0") | where like(source,"%".today."%")
| where ((like(source,"%"."ClientID"."%")))
| sort -_time
Results:
7/31/2017 5:09:18 AM -- Moved D:\filepath\filepath\ClientID\filepath\ClientID\Position\ClientID_Owner_csv.xml Size:26.46 MB
7/31/2017 5:08:18 AM -- Moved D:\filepath\filepath\ClientID\filepath\ClientID\Account\ClientID_Account_csv.xml Size:586.22 KB
7/31/2017 5:03:15 AM -- Moved D:\filepath\filepath\ClientID\filepath\ClientID\Member\ClientID_Member_csv.xml Size:3.06 MB
For example (below), if tomorrow's search does not return an import_File with a file path containing "Member" I would want
to return the source.
Example Problem Search Results:
8/1/2017 5:09:18 AM -- D:\filepath\filepath\ClientID\filepath\ClientID\Position\ClientID_Owner_csv.xml Size:26.46 MB
8/1/2017 5:08:18 AM -- D:\filepath\filepath\ClientID\filepath\ClientID\Account\ClientID_Account_csv.xml Size:586.22 KB
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
08-01-2017
08:31 AM
Give this a try
source=*D:\\filePath\\filePath* source=*filePath\\filePath.log* Moved
| eval todayBuffer=strftime(now(), "%m_%d_%Y") | eval today=ltrim(tostring(todayBuffer),"0") | where like(source,"%".today."%")
| where ((like(source,"%"."ClientID"."%"))) | rex field=source "ClientID_(?<type>[^_]+)" | eventstats values(type) as type
| sort -_time | where mvcount(type)<3 | table source ..other fields you want...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DalJeanis
Legend
07-31-2017
02:32 PM
This will return either Owner, Account, Member, or the entire source.
| rex field=source "(?i)(<sourcefound>Owner|Account|Member)"
| eval source=coalesce(sourcefound,source)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
07-31-2017
02:26 PM
What will be the expect output (for the sample data)?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
griffinpair
Path Finder
08-01-2017
07:47 AM
This is a "Alert Dashboard" I am creating. So if all show up (Results) then nothing should show up. If what we expected to show up does not (Example Problem Search Results) then I would want the the "source" to be returned so I can know the log file that has the information on the issue.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
aaraneta_splunk
Splunk Employee
07-31-2017
02:16 PM
@griffinpair - Just so you know, there is special markup language on this site so certain symbols will transform your post. If you wrap a word in the asterisk symbol * or _, without wrapping it in a code sample, it will italicize the word. If you wish to show the * (i.e. you are displaying sample code), simply click on the Code Sample icon to the right of the Blockquote icon in the formatting toolbar. That is how I was able to edit your post so that the * will display.
Get Updates on the Splunk Community!
Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 3)
Welcome back to Splunk Classroom Chronicles, our ongoing blog series that pulls back the curtain on Splunk ...
Operationalizing TDIR: Building a More Resilient, Scalable SOC
Optimizing SOC workflows with a unified, risk-based approach to Threat Detection, Investigation, and Response ...
Almost Too Eventful Assurance: Part 1
Modern IT and Network teams still struggle with too many alerts and isolating issues before they are notified. ...
