How do I find missing information from query 2 and...

benj851 · ‎08-23-2018

I am trying to find missing stores from query 2 in the below script. However, it returns no results, or all results depending on the search. For the purposes of my search, I know the correct result is one. Can you please assist me in my evaluations to get what I'm seeking? I've beeing trying this for days now.

host=s*0009 Type=Information EventCodeDescription="A new process has been created" New_Process_Name="D:\\Program\\Bin\\potato.exe" | dedup host | eval StoreCallEDW=substr(ComputerName,2,4) | search [ search index=mainframe host=MVSB* MFSOURCETYPE=SMF080 *CFT* DEFINE_RESOURCE="SUCCESSFUL_DEFINITION" | spath RESOURCE_NAME | search RESOURCE_NAME="EDWABP.V15.TLOG.DATA.*" | eval StoreonMainframe=substr(RESOURCE_NAME,29,4)] | table nodiff StoreEDWFile StoreonMainframe

benj851 · ‎08-23-2018

I’ve tried using not before the sub query instead of the bool check at the end. It was also not successful

vishaltaneja070 · ‎08-24-2018

is it possible to get the small set of results of both queries?

benj851 · ‎08-24-2018

In this example I'm simply asking for results for each query but I get no results:

host=s008*0004 Type=Information EventCodeDescription="A new process has been created" New_Process_Name="D:\\program\\Bin\\potato.exe" | dedup host | eval StoreCallEDW=substr(ComputerName,2,4) | search [ search index=mainframe host=MVSB* MFSOURCETYPE=SMF080 *CFT* DEFINE_RESOURCE="SUCCESSFUL_DEFINITION" | spath RESOURCE_NAME | search RESOURCE_NAME="EDWABP.V15.TLOG.DATA.*" | eval StoreonMainframe=substr(RESOURCE_NAME,29,4)] |  table StoreEDWFile StoreonMainframe

Result:
No Results found

benj851 · ‎08-24-2018

Here is just the first query, the query that must have something in order for the subquery to possibly have something:

host=s008*0004 Type=Information EventCodeDescription="A new process has been created" New_Process_Name="D:\\Program\\Bin\\potato.exe" | dedup host | eval StoreCallEDW=substr(ComputerName,2,4) | table StoreCallEDW

Results are:

StoreCallEDW
0084
0086
0080

benj851 · ‎08-24-2018

This should return one result on StoreonMainframe; but the only results returned are for nodiff. When you view the results they are related to StoreCallEDW.
host=s008*0004 Type=Information EventCodeDescription="A new process has been created" New_Process_Name="D:\program\Bin\potato.exe" | dedup host | eval StoreCallEDW=substr(ComputerName,2,4) | sort StoreCallEDW |search NOT [ search index=mainframe host=MVSB* MFSOURCETYPE=SMF080 CFT DEFINE_RESOURCE="SUCCESSFUL_DEFINITION" | spath RESOURCE_NAME | search RESOURCE_NAME="EDWABP.V15.TLOG.DATA.*" | eval StoreonMainframe=substr(RESOURCE_NAME,29,4) | Sort StoreonMainframe] | eval nodiff=if(match(StoreCallEDW,StoreonMainframe), "True", "False")| table nodiff StoreEDWFile StoreonMainframe

Results:
nodiff StoreEDWFile StoreonMainframe
False

False

False

benj851 · ‎08-24-2018

Using NOT and a subsearch: No results are returned for the subsearch when there should be 1200+. Each query should return 1200+ results:

host=s02*0004 Type=Information EventCodeDescription="A new process has been created" New_Process_Name="D:\program\Bin\pototo.exe" | dedup host | eval StoreEDWFile=substr(ComputerName,2,4) | sort StoreEDWFile | search NOT [ search index=mainframe host=MVSB* MFSOURCETYPE=SMF080 CFT DEFINE_RESOURCE="SUCCESSFUL_DEFINITION" | spath RESOURCE_NAME | search RESOURCE_NAME="EDWABP.V15.TLOG.DATA.*" | eval StoreonMainframe=substr(RESOURCE_NAME,29,4)] | sort StoreonMainframe | table StoreEDWFile StoreonMainframe

returns only values for StoreEDWFile:

StoreEDWFile StoreonMainframe
0202

0203

0204

0205

This is a problem because StoreEDWFile is not in question. StoreonMainframe should have been missing

How do I find missing information from query 2 and query 1

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!