Splunk Search

How to find missing values from a search events compared to a list - (either a lookup file or a declared values)

New Member

I need to find the missing list of process from a list of hosts and setup an alert

There will be number of process ~ 16 process to be monitored on number of hosts.

I need some help in evaluating which process is missing
I can take lookup file approach but would like to do a search and eval with out using a lookup.

I tried this way

earliest=-10m@m (index=os* OR index=matrix_os) source=ps host=abc* |rex field=COMMAND "somename\/(?[^\/]*)/httpd/sbin/httpd"  |stats count by inst host |eval mylist="inst0,inst1,test1,test2" |eval procname=split(mylist,",")|mvexpand procname|eval is_running=if(match(procname, inst),1,0)|table is_running host inst count procname

This lists out all matching and non matching . I want to just list out where procname=test1 on host which is not found.

0 Karma

Esteemed Legend

Do it like this (will need adjustment; this is run-anywhere):

| append  [| makeresults 
    | fields - _time 
    | rename COMMENT1of2 AS "All real events will have a 'host' value, but these 'sentinel' events will not"
    | rename COMMENT2of2 AS "This section would best be done as a 'lookup' using '|inputlookup append=t' instead of '|makeresults'."
    | eval sourcetype="audittrail kvstore mongod scheduler splunk_disk_objects splunk_python splunk_resource_usage splunk_web_access splunk_web_service splunkd splunkd_access splunkd_ui_access ta_snow ta_snow_util this_will_never_have_data" 
    | makemv sourcetype] 
| stats count(host) AS count BY sourcetype
| eval is_running=if((count>0), 1, 0)

Esteemed Legend

@hulgundi, if this worked for you, please click Accept to close the question and help others find valid solutions more easily.

0 Karma