Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to return stats from subsearch if first search returns no events

rune_hellem
Contributor
‎01-23-2022 10:56 PM

I have created a search that will trigger if no events from the following search is being returned

index=ipl_prod source="e:\\logs\\icc-application.log" sourcetype="log4j:ipl" operationName=hentOpptjeningsperioder status=OK

Search is only being triggerd during business hours Monday to Friday, problem is that I cannot instruct the cron schedule to not trigger on holidays. Holidays means no activity, so to make it a bit easier to evaluate if this is a false positive or not I want to add to the email being sent statistics of all statuses. Then we know if no other statuses has been found either, it is safe to ignore.

index=ipl_prod source="e:\\logs\\icc-application.log" sourcetype="log4j:ipl" operationName=hentOpptjeningsperioder status=OK [if no eventes then subsearch and return those events]
Labels (2)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎01-23-2022 11:56 PM 
| appendpipe
    [stats count as _rows
    | where _rows=0
    | eval status="no rows found"]
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-23-2022 11:22 PM

Hi @rune_hellem,

let me understand: you want to exclude results i holidays to avoid false positives, is it correct?

if this is your need, I solved this problem using a lookup containing all the holidays of the week, something like this:

day          fest
2022-01-01   0
2022-01-02   0
2022-01-03   1
2022-01-04   1
2022-01-05   1
2022-01-06   0
2022-01-07   1
2022-01-08   0
2022-01-09   0
2022-01-10   1
and so on

in this way you can a condition to your search to be sure that in week-ends and holidays you don't have results, something like this:

index=ipl_prod source="e:\\logs\\icc-application.log" sourcetype="log4j:ipl" operationName=hentOpptjeningsperioder status=OK
| eval day=strftime(_time,"%Y-%m-%d")
| lookup calendar.csv day OUTPUT fest
| search fest=1
| ...

Ciao.

Giuseppe

(called e.g. calendar.csv)  

0 Karma
Reply
Get Updates on the Splunk Community!

Changes to Splunk Instructor-Led Training Completion Criteria

We’re excited to share an update to our instructor-led training program that enhances the learning experience ...

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

❄️ Welcome the new year with our January lineup of Community Office Hours, Tech Talks, and Webinars! 🎉 ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...