Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to display procedures that don't have events as failures?

SteveChai427
Engager
‎01-08-2021 05:46 AM

Hello good people of the splunk community. I'm fairly new to splunk so sorry if this is a newb question. 

I have a search that retrieves only events with certain field values in the Procedure_Name or Process_Name fields, groups them by our scheduling cycle, and displays which procedures/processes failed (indicated by activity code not being 2000): 

 

(index=app host=myhost sourcetype=mysourcetype) OR (index=myindex source=mysource) earliest=-1w@w latest=now 
| where Process_Name IN ("Process1","Process2","Process3"..."Process26") 
OR
Procedure_Name IN ("Procedure1","Procedure2","Procedure3"..."Procedure26")) 
| fields Procedure_Name,Process_Name,Activity_Code, UpdatedDate
| eval Procedure_Name=coalesce(Process_Name, Procedure_Name)
| eval update = strptime( UpdatedDate, "%Y-%m-%d %H:%M:%S")
| eval Day = relative_time(update,"@d") - if((tonumber(strftime(update, "%H%M")) < 1400),  (24*60*60), 0)
| dedup Procedure_Name Day
| stats count(eval(Activity_Code = "2000")) as Success_Count, values(eval(if(Activity_Code !="2000", Procedure_Name,null()))) as Failures, values(Procedure_Name) as AllProcedures, values(UpdatedDate) as UpdatedDate,  count as Procedure_Count by Day
| eval Success_Percent = round(((Success_Count/Procedure_Count)*100),2)
| sort - Day
| eval Day = strftime(Day, "%F")
| table Day, Success_Count, Procedure_Count, Success_Percent, Failures, AllProcedures,UpdatedDate

 

 The process and procedure lists I'm checking for are actually identical, so Process1 is the same as Procedure1, Process6=Procedure6, etc. 

However I want to account for procedures/processes that failed to run at all since we consider that a failure too. But because they didn't run there are no events for them. Is there some way to compare my list of procedures/processes that should be there to the list that's actually there(AllProcedures) and add the difference to my failures list or another list like "FailedToRun"? 

Labels (5)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-08-2021 07:14 AM

Finding something that is not there is not Splunk's strong suit.  See this blog entry for a good write-up on it.

https://www.duanewaddle.com/proving-a-negative/

---
If this reply helps you, Karma would be appreciated.
Reply

schilds427
Explorer
‎01-14-2021 01:06 PM

Hello, I'm the same person but I had to get a new account. My lookup table is up and I am able to pull data from it. It's arranged like this: 

1.0 Procedures2.0_A_Procedures2.0_B_PRocedures3.0_Procedures
*various procedures**various procedures**various procedures**various procedures*

 

My different searches are only concerned with one column each. So the search above is only concerned with the 1.0_Procedures column but other searches use the other columns. I want to add the events that are absent from splunk but present in the lookup table to the failures field. So something like: 

 

values(eval(if(Activity_Code !="2000" OR Procedure_Name NOT [|inputlookup chubDashboardProcedures.csv | fields 1.0_Procedures | rename 1.0_Procedures as search|format "" "(" "" ")" "OR" ""], Procedure_Name,null()))) as Failures

 

Except I get a quote/parenthesis mismatch error with that. Is there any way to do that? 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-15-2021 07:43 AM

Try using the format command without arguments - the extra parentheses shouldn't affect the results.  If that doesn't work, try " " instead of "".

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

SteveChai427
Engager
‎01-08-2021 07:40 AM

I'll try what's in that article and see if that does the trick. I had a feeling I'd need to do a lookup table but I don't have permissions to make one so it's a little cumbersome. 

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

 Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team for an ...

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...