Splunk Search
Highlighted

How to determine missing entries for a given time

Observer

I have a scenario where when a device checks in, it sends multiple records of it's inventory with the same time stamp.   The check-in time is random but grouped by timestamp.  

With a given dataset:

5am fruit=apple
5am fruit=orange
5am fruit=banana
7am fruit=apple
7am fruit=orange
12pm fruit=orange
12pm fruit=banana

What I would like to see if there is a way to determine when one record exists but another record does not exist for a given time.  For instance, note when apple is present but banana is not present like the 7am time.

0 Karma
Highlighted

Re: How to determine missing entries for a given time

Ultra Champion
| makeresults
| eval _raw="5am fruit=apple
5am fruit=orange
5am fruit=banana
7am fruit=apple
7am fruit=orange
12pm fruit=orange
12pm fruit=banana"
| multikv noheader=t
| rex "(?<time>\S+)\sfruit=(?<fruit>.*)"
| stats count by fruit time
| append [ | makeresults
| eval fruit=split("apple,banana,orange",","), time=split("5am,7am,12pm",",")
| stats count by fruit time
| fields - count ]
| fillnull count
| stats sum(count) as count by fruit time
| sort fruit time

What's your expected result?

0 Karma
Highlighted

Re: How to determine missing entries for a given time

Observer

Hi to4kawa,

One possible output is to show the records for the given time where there are no bananas or no apples.  

I was looking at the possibility to group by transaction then show the transaction where fruit=orange record exists but fruit=apples does not exist for that transaction.

Thanks,

Warren

 

 

0 Karma
Highlighted

Re: How to determine missing entries for a given time

Ultra Champion

| makeresults
| eval _raw="5am fruit=apple
5am fruit=orange
5am fruit=banana
7am fruit=apple
7am fruit=orange
12pm fruit=orange
12pm fruit=banana"
| multikv noheader=t
| rex "(?<time>\S+)\sfruit=(?<fruit>.*)"
| stats count by fruit time
| append [ | makeresults
| eval fruit=split("apple,banana,orange",","), time=split("5am,7am,12pm",",")
| stats count by fruit time
| fields - count ]
| fillnull count
| stats sum(count) as count by fruit time
| sort fruit time
| where count = 0

transaction? I don't think it should need.

0 Karma