Splunk Search

Pass values in splunk search and compare it with results

raghul725
Explorer
Hello,
Currently my search looks for the list of containers which includes initialised successfully message and lists them. The alert I have set is to look for the number of containers under total connections column and if it is less then 28, then some of them did not connect successfully
 
How can pass I the list of containers in my search and compare that with the result produced and state if the result is missing a container please?
 
 
Sorry I cannot provide the exact search on a public forum, so I am sharing something similar.
 
Example: (my example just shows 4 containers)
 
The search should return container A, container B, container C, container D
 
Current search:
 
index=*  Initialised xxxxxxxxxxxx xxxxxx|rex "\{consumerName\=\'(MY REGEX)"|chart count AS Connections by name| addcoltotals labelfield="Total Connections"
 
 
The current result is
 
Container_Name      |  Count       |    Total_Connections
Container A                 |    1              |
Container B                 |   1                |
Container C                 |    1               |
Container D                 |    1               |
                                                                                    4         
 
How can I tweak the above search to include container A,B,C and D and if container D is missing in the result, the search should compare the result with the values passed in the search and state which container is missing as the last line in the above table i.e. preserve the existing result but state which container is missing from the result as well please?
 
Regards
Labels (2)
0 Karma

yuanliu
SplunkTrust
SplunkTrust

If you know all container names in advance, simply enumerate them.  One way to do this is to use foreach.

 

index=*  Initialised xxxxxxxxxxxx xxxxxx |rex "\{consumerName\=\'(MY REGEX)"
| stats count as Connections by Container_Name
| transpose header_field=Container_Name column_name=Container_Name
| foreach "Container A", "Container B", "Container C", "Container D"
    [eval <<FIELD>> = if(isnull('<<FIELD>>'), "(missing)", '<<FIELD>>')]
| transpose header_field=Container_Name column_name=Container_Name
| addcoltotals fieldname=Connections labelfield=Container_Name

 

(If you perform stats on Container_Name, 

For example, if your data is missing "Container D", you get

Container_NameConnections
Container A1
Container B1
Container C1
Container D(missing)
Total3

If your data is missing "Container C", you get

Container_NameConnections
Container A1
Container B1
Container D1
Container C(missing)
Total3

And so on.

Here is an emulation for you to play with and compare with real data

 

| makeresults
| fields - _time
| eval Container_Name = mvappend("Container A", "Container B"```, "Container C"```, "Container D")
``` data emulation above ```

 

 

Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Finding something that doesn't exist is not one of Splunk's strong suits! You can get around this by telling Splunk what to look for, for example

index=*  Initialised xxxxxxxxxxxx xxxxxx|rex "\{consumerName\=\'(MY REGEX)"|chart count AS Connections by name
| append
  [| makeresults format=csv data="name
Container A
Container B
Container C
Container D"]
| stats count by name
| where count < 2
0 Karma

raghul725
Explorer

Thank you, but when I run the suggestion provided on a time period I know would not return any result, nothing shows up. I expected it provide me the entire list in makeresults.

Sorry if I am missing something here or I don't understand your suggestion.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Which version of Splunk are you running as the format and data options to makeresults were introduced in version 9

0 Karma

raghul725
Explorer

I am afraid its on Version:8.2.11.2

That answers it.

 

Assume there is nothing else we can try on the version I am on please?

 

Best Regards

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try it like this (for pre-Splunk 9)

index=*  Initialised xxxxxxxxxxxx xxxxxx|rex "\{consumerName\=\'(MY REGEX)"|chart count AS Connections by name
| append
  [| makeresults
  | eval name="Container A,Container B,Container C,Container D"
  | eval name=split(name,",")]
| stats count by name
| where count < 2

 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

I would also advise to externalise the conifg (the list of wanted  containers) from the search itself.

So I'd simply create a lookup (let's call it containers.csv) with just one column called "name" containing all the containers you expect and then do

 

index=*  Initialised xxxxxxxxxxxx xxxxxx|rex "\{consumerName\=\'(MY REGEX)"|chart count AS Connections by name
| append
  [| inputlookup containers.csv ]
| stats count by name
| where count < 2

 

 This way if your list of containers changes it's easy to just update the lookup instead of rewriting the search.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...