Splunk Search

Search a keyword in log file

loveforsplunk
Explorer

I have a log file with suppose keyword "Completed".

Now first thing I want to do in the search is , search for this keyword ("Completed") in the log file.

If the keyword is present , then it is not required to search anymore . But if it is not present , the search should trigger.

So, I want something like this : eval check= if(match(_raw, "%Completed%"), do nothing, trigger search)

Is it possible , something like this in Splunk ?

Let me elaborate :

my search will search for two keywords in the log file
1. Completed
2. Value

First it should check for "completed" , if it gets completed in the log file , it will come out of the loop and will not check the "value" printed in the log file.

If it does not gets "completed" , then only it will check for "value" and throw an alert based on the value.

Tags (1)
0 Karma
1 Solution

woodcock
Esteemed Legend

Do it E*X*A*C*T*L*Y like this:

[ Your Condition Search Here | stats count(eval(searchmatch("Completed"))) AS SearchIfNotZero | eval search=if((SearchIfNotZero>0), "Your Triggered Search String Here", "|noop | stats count AS Your_Search_Was_NoT_Triggered") | fields search ]

View solution in original post

0 Karma

woodcock
Esteemed Legend

Show sample events and sample outputs for each case. I do not get it.

0 Karma

loveforsplunk
Explorer

okay. My sample search is as below;

index=abc host=def mainKeyword| join source [search string to create source] | where mainKeyword< 20
If this search returns any result , I am getting an alert which is my requirement but I want to add another check with this which is explained below.
Suppose my log is like this:

abc
efh
18
completed.

Now my search is returning me the value for mainKeyword 18 which is less then 20 after reading from the source file and throwing an alert.

Now my new check is to first, search if the log has the "completed" keyword or not. If it returns true for "completed" like below then it will not throw any alert even if value is less than 20 as it shows completed;

if("completed"){
do nothing
} else
trigger the search and throw an alert if the mainKeyword's value is less than 20.

Hope I could explain you better 🙂

0 Karma

woodcock
Esteemed Legend

Do it E*X*A*C*T*L*Y like this:

[ Your Condition Search Here | stats count(eval(searchmatch("Completed"))) AS SearchIfNotZero | eval search=if((SearchIfNotZero>0), "Your Triggered Search String Here", "|noop | stats count AS Your_Search_Was_NoT_Triggered") | fields search ]
0 Karma

loveforsplunk
Explorer

When I am trying ur search I am getting this error Error in 'eval' command: Fields cannot be assigned a boolean result. Instead, try if([bool expr], [expr], [expr]) in eval search. Can you please tell why. ANy Idea

0 Karma

loveforsplunk
Explorer

I made a few corrections and it worked !! Thank you so much for letting me go in the right track. 🙂

0 Karma

woodcock
Esteemed Legend

Great! Please do post the adjusted search here in the comments so we can all learn.

0 Karma

Richfez
SplunkTrust
SplunkTrust
MySearchCriteria earliest=-5m  NOT "Complete" | stats count

Then save that as an Alert for when "count" equals 0?

0 Karma

Richfez
SplunkTrust
SplunkTrust

How long should one wait for the word "Completed" to show up before deciding it isn't there? Do you have samples of the events, the approximate quantity of non-complete vs. complete events? Is there a relationship between some of the regular events and the ones that signal complete?

0 Karma

Richfez
SplunkTrust
SplunkTrust

Do you mean that if you find no keyword "Completed" then an alert should trigger?

0 Karma

loveforsplunk
Explorer

yeah, kind of. my search will search for two keywords in the log file
1. Completed
2. Value

First it should check for "completed" , if it gets completed in the log file , it will come out of the loop and will not check the value printed in the log file.

If it does not gets completed , then only it will check for "value" and throw an alert based on the value.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...