Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search a keyword in log file

loveforsplunk
Explorer
‎05-30-2017 03:04 PM

I have a log file with suppose keyword "Completed".

Now first thing I want to do in the search is , search for this keyword ("Completed") in the log file.

If the keyword is present , then it is not required to search anymore . But if it is not present , the search should trigger.

So, I want something like this : eval check= if(match(_raw, "%Completed%"), do nothing, trigger search)

Is it possible , something like this in Splunk ?

Let me elaborate :

my search will search for two keywords in the log file
1. Completed
2. Value

First it should check for "completed" , if it gets completed in the log file , it will come out of the loop and will not check the "value" printed in the log file.

If it does not gets "completed" , then only it will check for "value" and throw an alert based on the value.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎05-30-2017 04:23 PM

Do it E*X*A*C*T*L*Y like this:

[ Your Condition Search Here | stats count(eval(searchmatch("Completed"))) AS SearchIfNotZero | eval search=if((SearchIfNotZero>0), "Your Triggered Search String Here", "|noop | stats count AS Your_Search_Was_NoT_Triggered") | fields search ]

View solution in original post

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎05-30-2017 06:20 PM

Show sample events and sample outputs for each case. I do not get it.

0 Karma
Reply
Solved! Jump to solution

loveforsplunk
Explorer
‎05-30-2017 09:10 PM

okay. My sample search is as below;

index=abc host=def mainKeyword| join source [search string to create source] | where mainKeyword< 20
If this search returns any result , I am getting an alert which is my requirement but I want to add another check with this which is explained below.
Suppose my log is like this:

abc
efh
18
completed.

Now my search is returning me the value for mainKeyword 18 which is less then 20 after reading from the source file and throwing an alert.

Now my new check is to first, search if the log has the "completed" keyword or not. If it returns true for "completed" like below then it will not throw any alert even if value is less than 20 as it shows completed;

if("completed"){
do nothing
} else
trigger the search and throw an alert if the mainKeyword's value is less than 20.

Hope I could explain you better 🙂

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎05-30-2017 04:23 PM

Do it E*X*A*C*T*L*Y like this:

[ Your Condition Search Here | stats count(eval(searchmatch("Completed"))) AS SearchIfNotZero | eval search=if((SearchIfNotZero>0), "Your Triggered Search String Here", "|noop | stats count AS Your_Search_Was_NoT_Triggered") | fields search ]
0 Karma
Reply
Solved! Jump to solution

loveforsplunk
Explorer
‎05-30-2017 10:49 PM

When I am trying ur search I am getting this error Error in 'eval' command: Fields cannot be assigned a boolean result. Instead, try if([bool expr], [expr], [expr]) in eval search. Can you please tell why. ANy Idea

0 Karma
Reply
Solved! Jump to solution

loveforsplunk
Explorer
‎05-31-2017 12:10 AM

I made a few corrections and it worked !! Thank you so much for letting me go in the right track. 🙂

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎05-31-2017 06:42 AM

Great! Please do post the adjusted search here in the comments so we can all learn.

0 Karma
Reply
Solved! Jump to solution

Richfez
SplunkTrust
SplunkTrust
‎05-30-2017 03:36 PM 
MySearchCriteria earliest=-5m  NOT "Complete" | stats count

Then save that as an Alert for when "count" equals 0?

0 Karma
Reply
Solved! Jump to solution

Richfez
SplunkTrust
SplunkTrust
‎05-30-2017 03:30 PM

How long should one wait for the word "Completed" to show up before deciding it isn't there? Do you have samples of the events, the approximate quantity of non-complete vs. complete events? Is there a relationship between some of the regular events and the ones that signal complete?

0 Karma
Reply
Solved! Jump to solution

Richfez
SplunkTrust
SplunkTrust
‎05-30-2017 03:26 PM

Do you mean that if you find no keyword "Completed" then an alert should trigger?

0 Karma
Reply
Solved! Jump to solution

loveforsplunk
Explorer
‎05-30-2017 04:47 PM

yeah, kind of. my search will search for two keywords in the log file
1. Completed
2. Value

First it should check for "completed" , if it gets completed in the log file , it will come out of the loop and will not check the value printed in the log file.

If it does not gets completed , then only it will check for "value" and throw an alert based on the value.

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
li.common.scroll-to.top