Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to return stats from subsearch if first search returns no events

rune_hellem
Contributor
‎01-23-2022 10:56 PM

I have created a search that will trigger if no events from the following search is being returned

index=ipl_prod source="e:\\logs\\icc-application.log" sourcetype="log4j:ipl" operationName=hentOpptjeningsperioder status=OK

Search is only being triggerd during business hours Monday to Friday, problem is that I cannot instruct the cron schedule to not trigger on holidays. Holidays means no activity, so to make it a bit easier to evaluate if this is a false positive or not I want to add to the email being sent statistics of all statuses. Then we know if no other statuses has been found either, it is safe to ignore.

index=ipl_prod source="e:\\logs\\icc-application.log" sourcetype="log4j:ipl" operationName=hentOpptjeningsperioder status=OK [if no eventes then subsearch and return those events]
Labels (2)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎01-23-2022 11:56 PM 
| appendpipe
    [stats count as _rows
    | where _rows=0
    | eval status="no rows found"]
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-23-2022 11:22 PM

Hi @rune_hellem,

let me understand: you want to exclude results i holidays to avoid false positives, is it correct?

if this is your need, I solved this problem using a lookup containing all the holidays of the week, something like this:

day          fest
2022-01-01   0
2022-01-02   0
2022-01-03   1
2022-01-04   1
2022-01-05   1
2022-01-06   0
2022-01-07   1
2022-01-08   0
2022-01-09   0
2022-01-10   1
and so on

in this way you can a condition to your search to be sure that in week-ends and holidays you don't have results, something like this:

index=ipl_prod source="e:\\logs\\icc-application.log" sourcetype="log4j:ipl" operationName=hentOpptjeningsperioder status=OK
| eval day=strftime(_time,"%Y-%m-%d")
| lookup calendar.csv day OUTPUT fest
| search fest=1
| ...

Ciao.

Giuseppe

(called e.g. calendar.csv)  

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...