- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to determine missing entries for a given time
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to determine missing entries for a given time
I have a scenario where when a device checks in, it sends multiple records of it's inventory with the same time stamp. The check-in time is random but grouped by timestamp.
With a given dataset:
5am fruit=apple
5am fruit=orange
5am fruit=banana
7am fruit=apple
7am fruit=orange
12pm fruit=orange
12pm fruit=banana
What I would like to see if there is a way to determine when one record exists but another record does not exist for a given time. For instance, note when apple is present but banana is not present like the 7am time.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| makeresults
| eval _raw="5am fruit=apple
5am fruit=orange
5am fruit=banana
7am fruit=apple
7am fruit=orange
12pm fruit=orange
12pm fruit=banana"
| multikv noheader=t
| rex "(?<time>\S+)\sfruit=(?<fruit>.*)"
| stats count by fruit time
| append [ | makeresults
| eval fruit=split("apple,banana,orange",","), time=split("5am,7am,12pm",",")
| stats count by fruit time
| fields - count ]
| fillnull count
| stats sum(count) as count by fruit time
| sort fruit timeWhat's your expected result?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi to4kawa,
One possible output is to show the records for the given time where there are no bananas or no apples.
I was looking at the possibility to group by transaction then show the transaction where fruit=orange record exists but fruit=apples does not exist for that transaction.
Thanks,
Warren
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| makeresults
| eval _raw="5am fruit=apple
5am fruit=orange
5am fruit=banana
7am fruit=apple
7am fruit=orange
12pm fruit=orange
12pm fruit=banana"
| multikv noheader=t
| rex "(?<time>\S+)\sfruit=(?<fruit>.*)"
| stats count by fruit time
| append [ | makeresults
| eval fruit=split("apple,banana,orange",","), time=split("5am,7am,12pm",",")
| stats count by fruit time
| fields - count ]
| fillnull count
| stats sum(count) as count by fruit time
| sort fruit time
| where count = 0
transaction? I don't think it should need.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
