How to add a dummy row to the table calculating th...

Anud · ‎06-04-2024

How to add a dummy row to the table in the Splunk dashboard.
We are receiving 2 files everyday 4 times in between 6-7:30AM, 11-12:30 PM, 6-7:30PM, 9-10:05PM.
I need output like below if received one file means has to display like missing other file.

Using | makeresults command we can create a row but it is applicable while calculating the timings.

Input :

File	Date
TI7L	03-06-2024 06:52
TI7L	03-06-2024 06:55
TI8L	03-06-2024 11:51
TI8L	03-06-2024 11:50
TI9L	03-06-2024 19:06
TI9L	03-06-2024 19:10
TI5L	03-06-2024 22:16
TI5L	03-06-2024 22:20

Output:

File	Date
TI7L	03-06-2024 06:52
Missing file
Missing file
TI8L	03-06-2024 11:50
TI9L	03-06-2024 19:06
Missing file
TI5L	03-06-2024 22:16
Missing file

ITWhisperer · ‎06-04-2024

| stats list(Date) as Date by File
| eval row=mvrange(0,2)
| mvexpand row
| eval Date=mvindex(Date,row)
| eval File=if(isnotnull(Date),File,"missing file")
| fields - row

Anud · ‎06-04-2024

Thanks for quick response!

Actually i was looking for the output like below. File missed in between time 6-7:30AM and 9-10:05PM

File	Date
TI7L	03-06-2024 06:52
	file missing
TI8L	03-06-2024 11:51
TI8L	03-06-2024 11:50
TI9L	03-06-2024 19:06
TI9L	03-06-2024 19:10
TI5L	03-06-2024 22:16
	File missing

richgalloway · ‎06-04-2024

Splunk can't find something that's not there. You'll need to use makeresults or a lookup to populate what you expect and then replace that with actual indexed data.

---
If this reply helps you, Karma would be appreciated.

How to add a dummy row to the table calculating the timings in the Splunk dashboard

eval

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?