Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Return something when search doesn't return an...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I want to have a table with results of a search of the SQL logs for backups. But the search I have only returns the successful backups. I want to display a line in the table if a backup failed, i.e. if a database name does NOT appear in the search results.
Is this possible? I tried an 'append', but the last line is repeated if the search term is not found.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My own comment of 'set math' set me on a path to the "set union" command. I now search for successes and failures and combine to a single table.
I have not answered my original question, but I have a work around for my current problem.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My own comment of 'set math' set me on a path to the "set union" command. I now search for successes and failures and combine to a single table.
I have not answered my original question, but I have a work around for my current problem.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you have (or can generate) a list of all Database Names?
You could index that list.
Extract the database name from the backup logs. Use the same fieldname (e.g., db_name) in both sourcetypes (the list of all databases and the backup log)
The following should give you a list of database names from the alldatabases sourcetype that aren't matched in the backuplog sourcetype.
sourcetype="alldatabases" | join type=outer db_name [search sourcetype=backuplog] | search sourcetype=alldatabases | table db_name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm glad that you found a different solution. The search from my answer will work as well. There needs to be a common field name for the join command to work.
Note that if you run my search without " | search sourcetype=alldatabases | table db_name", the result set has a mix of the 2 sourcetypes. The rows with the sourcetype="alldatabases" did not find a match in the other sourcetype. So, the extra search command at the end should filter the results accordingly.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't think the set math works. I get a list of all databases from the database list.
To test, I added a bogus database name to a txt file of valid db names, indexed it, and performed your search.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
