Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How do I find missing information from query 2...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I find missing information from query 2 and query 1
benj851
Explorer
08-23-2018
01:27 PM
I am trying to find missing stores from query 2 in the below script. However, it returns no results, or all results depending on the search. For the purposes of my search, I know the correct result is one. Can you please assist me in my evaluations to get what I'm seeking? I've beeing trying this for days now.
host=s*0009 Type=Information EventCodeDescription="A new process has been created" New_Process_Name="D:\\Program\\Bin\\potato.exe" | dedup host | eval StoreCallEDW=substr(ComputerName,2,4) | search [ search index=mainframe host=MVSB* MFSOURCETYPE=SMF080 *CFT* DEFINE_RESOURCE="SUCCESSFUL_DEFINITION" | spath RESOURCE_NAME | search RESOURCE_NAME="EDWABP.V15.TLOG.DATA.*" | eval StoreonMainframe=substr(RESOURCE_NAME,29,4)] | table nodiff StoreEDWFile StoreonMainframe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
benj851
Explorer
08-23-2018
04:04 PM
I’ve tried using not before the sub query instead of the bool check at the end. It was also not successful
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vishaltaneja070
Motivator
08-24-2018
02:31 AM
is it possible to get the small set of results of both queries?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
benj851
Explorer
08-24-2018
11:00 AM
In this example I'm simply asking for results for each query but I get no results:
host=s008*0004 Type=Information EventCodeDescription="A new process has been created" New_Process_Name="D:\\program\\Bin\\potato.exe" | dedup host | eval StoreCallEDW=substr(ComputerName,2,4) | search [ search index=mainframe host=MVSB* MFSOURCETYPE=SMF080 *CFT* DEFINE_RESOURCE="SUCCESSFUL_DEFINITION" | spath RESOURCE_NAME | search RESOURCE_NAME="EDWABP.V15.TLOG.DATA.*" | eval StoreonMainframe=substr(RESOURCE_NAME,29,4)] | table StoreEDWFile StoreonMainframe
Result:
No Results found
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
benj851
Explorer
08-24-2018
11:02 AM
Here is just the first query, the query that must have something in order for the subquery to possibly have something:
host=s008*0004 Type=Information EventCodeDescription="A new process has been created" New_Process_Name="D:\\Program\\Bin\\potato.exe" | dedup host | eval StoreCallEDW=substr(ComputerName,2,4) | table StoreCallEDW
Results are:
StoreCallEDW
0084
0086
0080
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
benj851
Explorer
08-24-2018
10:52 AM
This should return one result on StoreonMainframe; but the only results returned are for nodiff. When you view the results they are related to StoreCallEDW.
host=s008*0004 Type=Information EventCodeDescription="A new process has been created" New_Process_Name="D:\program\Bin\potato.exe" | dedup host | eval StoreCallEDW=substr(ComputerName,2,4) | sort StoreCallEDW |search NOT [ search index=mainframe host=MVSB* MFSOURCETYPE=SMF080 CFT DEFINE_RESOURCE="SUCCESSFUL_DEFINITION" | spath RESOURCE_NAME | search RESOURCE_NAME="EDWABP.V15.TLOG.DATA.*" | eval StoreonMainframe=substr(RESOURCE_NAME,29,4) | Sort StoreonMainframe] | eval nodiff=if(match(StoreCallEDW,StoreonMainframe), "True", "False")| table nodiff StoreEDWFile StoreonMainframe
Results:
nodiff StoreEDWFile StoreonMainframe
False
False
False
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
benj851
Explorer
08-24-2018
10:37 AM
Using NOT and a subsearch: No results are returned for the subsearch when there should be 1200+. Each query should return 1200+ results:
host=s02*0004 Type=Information EventCodeDescription="A new process has been created" New_Process_Name="D:\program\Bin\pototo.exe" | dedup host | eval StoreEDWFile=substr(ComputerName,2,4) | sort StoreEDWFile | search NOT [ search index=mainframe host=MVSB* MFSOURCETYPE=SMF080 CFT DEFINE_RESOURCE="SUCCESSFUL_DEFINITION" | spath RESOURCE_NAME | search RESOURCE_NAME="EDWABP.V15.TLOG.DATA.*" | eval StoreonMainframe=substr(RESOURCE_NAME,29,4)] | sort StoreonMainframe | table StoreEDWFile StoreonMainframe
returns only values for StoreEDWFile:
StoreEDWFile StoreonMainframe
0202
0203
0204
0205
This is a problem because StoreEDWFile is not in question. StoreonMainframe should have been missing
Get Updates on the Splunk Community!
Aligning Observability Costs with Business Value: Practical Strategies
Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...
Mastering Data Pipelines: Unlocking Value with Splunk
In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0
Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...
