Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do I check if a field contains text and return...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I check if a field contains text and return the "source" if it doesn't?
griffinpair
Path Finder
07-31-2017
01:56 PM
My current search (below) returns 3 results that has a field called "import_File" that contains either the text "Account", "Owner", or "Member" in the file path. If there is an instance where the search does not contain a file path containing either the text "Account", "Owner", or "Member", I want to return the "source" so I can go in and check it out.
Search:
source=*D:\\filePath\\filePath* source=*filePath\\filePath.log* Moved
| eval todayBuffer=strftime(now(), "%m_%d_%Y") | eval today=ltrim(tostring(todayBuffer),"0") | where like(source,"%".today."%")
| where ((like(source,"%"."ClientID"."%")))
| sort -_time
Results:
7/31/2017 5:09:18 AM -- Moved D:\filepath\filepath\ClientID\filepath\ClientID\Position\ClientID_Owner_csv.xml Size:26.46 MB
7/31/2017 5:08:18 AM -- Moved D:\filepath\filepath\ClientID\filepath\ClientID\Account\ClientID_Account_csv.xml Size:586.22 KB
7/31/2017 5:03:15 AM -- Moved D:\filepath\filepath\ClientID\filepath\ClientID\Member\ClientID_Member_csv.xml Size:3.06 MB
For example (below), if tomorrow's search does not return an import_File with a file path containing "Member" I would want
to return the source.
Example Problem Search Results:
8/1/2017 5:09:18 AM -- D:\filepath\filepath\ClientID\filepath\ClientID\Position\ClientID_Owner_csv.xml Size:26.46 MB
8/1/2017 5:08:18 AM -- D:\filepath\filepath\ClientID\filepath\ClientID\Account\ClientID_Account_csv.xml Size:586.22 KB
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
08-01-2017
08:31 AM
Give this a try
source=*D:\\filePath\\filePath* source=*filePath\\filePath.log* Moved
| eval todayBuffer=strftime(now(), "%m_%d_%Y") | eval today=ltrim(tostring(todayBuffer),"0") | where like(source,"%".today."%")
| where ((like(source,"%"."ClientID"."%"))) | rex field=source "ClientID_(?<type>[^_]+)" | eventstats values(type) as type
| sort -_time | where mvcount(type)<3 | table source ..other fields you want...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DalJeanis
Legend
07-31-2017
02:32 PM
This will return either Owner, Account, Member, or the entire source.
| rex field=source "(?i)(<sourcefound>Owner|Account|Member)"
| eval source=coalesce(sourcefound,source)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
07-31-2017
02:26 PM
What will be the expect output (for the sample data)?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
griffinpair
Path Finder
08-01-2017
07:47 AM
This is a "Alert Dashboard" I am creating. So if all show up (Results) then nothing should show up. If what we expected to show up does not (Example Problem Search Results) then I would want the the "source" to be returned so I can know the log file that has the information on the issue.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
aaraneta_splunk
Splunk Employee
07-31-2017
02:16 PM
@griffinpair - Just so you know, there is special markup language on this site so certain symbols will transform your post. If you wrap a word in the asterisk symbol * or _, without wrapping it in a code sample, it will italicize the word. If you wish to show the * (i.e. you are displaying sample code), simply click on the Code Sample icon to the right of the Blockquote icon in the formatting toolbar. That is how I was able to edit your post so that the * will display.
Get Updates on the Splunk Community!
Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...
This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...
Elevate Your Organization with Splunk’s Next Platform Evolution
Thursday, July 10, 2025 | 11AM PDT / 2PM EDT
Whether you're managing complex deployments or looking to ...
Splunk Answers Content Calendar, June Edition
Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...
