Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Search for a value in a set of results, then indicate in a new field if the value was found

toryan
Engager
‎09-13-2019 11:56 AM

I have a somewhat complicated search whose results I present in a dashboard, and looks a bit like this:

[
    search 
(
    _raw IN (<video title>)
)
 AND event_name=process.start | fields video_id
 ] 
 (event_name=processor.*) | eval mytime=strftime(_time, "%Y/%m/%d %H:%M:%S") | stats latest(event_name) as Event latest(video_title) as Title latest(mytime) as "Message time" latest(status_short_text) as "Message text" by video_filename

This searches for a message indicating that processing of a particular video title has started. Then passes video_id to a new search, which returns the latest status message for each video_filename found for that video ID.

The system returns a "Processing complete" message indicating that a particular file has finished processing, but this is not necessarily the last message returned. I would like to create a field that indicates whether a "Processing complete" message has been received for each video_filename.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...