Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get the "COD SERIE CEI" which has no events between now and 2 hours ago?

raultav
Engager
‎04-16-2021 11:07 AM

Hi, guys!

I have an event table, which has a field called "COD SERIE CEI". I need to get the "COD SERIE CEI" which has no events between now and 2 hours ago.

index="raw_arq_cei" Titulo="NCEI Informativas"
| eval eventHour=strftime(_time,"%H")
| eval eventMin=strftime(_time,"%M")
| eval curHour=strftime(now(),"%H")
| eval curMin=strftime(now(),"%M")
| table Dados.COD_SERIE_CEI
| sort _time

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-19-2021 08:54 AM

Finding something that is not there is not Splunk's strong suit.  See this blog entry for a good write-up on it.

https://www.duanewaddle.com/proving-a-negative/

Another approach is to look back more than 2 hours (like 4 or even 24) and see if the most recent event has a timestamp older than 2 hours.

index="raw_arq_cei" Titulo="NCEI Informativas" earliest=-4h
| stats latest(_time) by Dados.COD_SERIE_CEI
| eval timeSince=now()-_time
| where timeSince > 7200
| sort _time
| table Dados.COD_SERIE_CEI
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎04-16-2021 11:48 AM

It's not clear what problem you are trying to solve.  Are you looking for data that is at least 2 hours old or a lack or events in the last 2 hours or something else?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

raultav
Engager
‎04-19-2021 07:16 AM

Hi Rich!

I edited my question.

I have an event table, which has a field called "COD SERIE CEI". I need to get the "COD SERIE CEI" which has no events between now and 2 hours ago.

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-19-2021 08:54 AM

Finding something that is not there is not Splunk's strong suit.  See this blog entry for a good write-up on it.

https://www.duanewaddle.com/proving-a-negative/

Another approach is to look back more than 2 hours (like 4 or even 24) and see if the most recent event has a timestamp older than 2 hours.

index="raw_arq_cei" Titulo="NCEI Informativas" earliest=-4h
| stats latest(_time) by Dados.COD_SERIE_CEI
| eval timeSince=now()-_time
| where timeSince > 7200
| sort _time
| table Dados.COD_SERIE_CEI
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...