Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to determine missing entries for a given time

warren_h
Observer
‎07-31-2020 03:55 PM

I have a scenario where when a device checks in, it sends multiple records of it's inventory with the same time stamp.   The check-in time is random but grouped by timestamp.  

With a given dataset:

5am fruit=apple
5am fruit=orange
5am fruit=banana
7am fruit=apple
7am fruit=orange
12pm fruit=orange
12pm fruit=banana

What I would like to see if there is a way to determine when one record exists but another record does not exist for a given time.  For instance, note when apple is present but banana is not present like the 7am time.

Labels (2)
0 Karma
Reply

to4kawa
Ultra Champion
‎07-31-2020 04:06 PM 
| makeresults
| eval _raw="5am fruit=apple
5am fruit=orange
5am fruit=banana
7am fruit=apple
7am fruit=orange
12pm fruit=orange
12pm fruit=banana"
| multikv noheader=t
| rex "(?<time>\S+)\sfruit=(?<fruit>.*)"
| stats count by fruit time
| append [ | makeresults
| eval fruit=split("apple,banana,orange",","), time=split("5am,7am,12pm",",")
| stats count by fruit time
| fields - count ]
| fillnull count
| stats sum(count) as count by fruit time
| sort fruit time

What's your expected result?

0 Karma
Reply

warren_h
Observer
‎07-31-2020 04:34 PM

Hi to4kawa,

One possible output is to show the records for the given time where there are no bananas or no apples.  

I was looking at the possibility to group by transaction then show the transaction where fruit=orange record exists but fruit=apples does not exist for that transaction.

Thanks,

Warren

 

 

0 Karma
Reply

to4kawa
Ultra Champion
‎07-31-2020 04:39 PM

| makeresults
| eval _raw="5am fruit=apple
5am fruit=orange
5am fruit=banana
7am fruit=apple
7am fruit=orange
12pm fruit=orange
12pm fruit=banana"
| multikv noheader=t
| rex "(?<time>\S+)\sfruit=(?<fruit>.*)"
| stats count by fruit time
| append [ | makeresults
| eval fruit=split("apple,banana,orange",","), time=split("5am,7am,12pm",",")
| stats count by fruit time
| fields - count ]
| fillnull count
| stats sum(count) as count by fruit time
| sort fruit time
| where count = 0

transaction? I don't think it should need.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...