Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to have stats with no result found

pbd
Explorer
‎09-12-2019 04:32 AM

Hi,

I'm looking at logs on a Gateway to see if there is traffic or not for specific files at a specific time.
I want to show the status of the flow.

The file has to be present only on Monday between 5:30PM and 7:30PM.
If it is then the state is "OK" and "KO" if not.
If we are another day and there that is no traffic, it's "Not expected"
Otherwise, it's a warn.

Could you please help ?

Here is my command line :

eventtype=echanges IDF="KB0N3A*" OR IDF="N70N3A*" ENDTIME>"17:30:00" ENDTIME<"19:30:00" RECEPTEUR="FGPXYG00" STATUS="COMPLETED" VOLUMETRIE>0 | stats count as Nb by IDF,date_wday | eval State = if(Nb == 1,if(match(date_wday, "monday"),"OK","Warning"),if(match(date_wday,"monday"),"Warning","Not Expected")) | table State
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
SplunkTrust
SplunkTrust
‎09-12-2019 06:42 AM

Give this a try

eventtype=echanges IDF="KB0N3A*" OR IDF="N70N3A*" ENDTIME>"17:30:00" ENDTIME<"19:30:00" RECEPTEUR="FGPXYG00" STATUS="COMPLETED" VOLUMETRIE>0 
| stats count as Nb by IDF,date_wday 
| appendpipe [| stats count as Nb| where Nb=0 | eval date_wday=lower(strftime(now(),"%A"))]
| eval State = if(Nb == 1,if(match(date_wday, "monday"),"OK","Warning"),if(match(date_wday,"monday"),"Warning","Not Expected")) | table State

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
SplunkTrust
SplunkTrust
‎09-12-2019 06:42 AM

Give this a try

eventtype=echanges IDF="KB0N3A*" OR IDF="N70N3A*" ENDTIME>"17:30:00" ENDTIME<"19:30:00" RECEPTEUR="FGPXYG00" STATUS="COMPLETED" VOLUMETRIE>0 
| stats count as Nb by IDF,date_wday 
| appendpipe [| stats count as Nb| where Nb=0 | eval date_wday=lower(strftime(now(),"%A"))]
| eval State = if(Nb == 1,if(match(date_wday, "monday"),"OK","Warning"),if(match(date_wday,"monday"),"Warning","Not Expected")) | table State
0 Karma
Reply
Solved! Jump to solution

pbd
Explorer
‎09-12-2019 07:55 AM

Thank you very much!!!!

0 Karma
Reply
Solved! Jump to solution

pbd
Explorer
‎09-12-2019 07:54 AM

I think I've finally found !!! \o/

eventtype=echanges IDF="KB0N3A*" OR IDF="N70N3A*" ENDTIME>"17:30:00" ENDTIME<"19:30:00" RECEPTEUR="FGPXYG00" STATUS="COMPLETED" VOLUMETRIE>0 | stats count as Nb by IDF,date_wday | appendpipe [| stats count as Nb| where Nb=0 | addinfo | eval date_wday=lower(strftime(info_min_time,"%A"))] | eval State = if(Nb == 1,if(match(date_wday, "monday"),"OK","Warning"),if(match(date_wday,"monday"),"Warning","Not Expected")) | table State date_wday Nb

Reply
Solved! Jump to solution

pbd
Explorer
‎09-12-2019 07:42 AM

Thank you for the fast reply !
This would be perfect if I can replace "now()" in the strftime function by the time i'm searching for ?
You put me on the right track I think.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud | Customer Survey!

If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...

Starting With Observability: OpenTelemetry Best Practices

Tech Talk Starting With Observability: OpenTelemetry Best Practices Tuesday, October 17, 2023   |  11AM PST / ...