Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Zero events monitoring in chart

ejpulsar
Path Finder
‎10-14-2013 02:09 AM

Hi!

I need to build realtime search which tracks if NO events with particular P_LOGIN_NAME are received in last 15 minutes.
But the core problem is: if no events, there are no these lines in chart.

1) I have events with fields

P_LOGIN_NAME=STRING1 status=200    
P_LOGIN_NAME=STRING1 status=404    
P_LOGIN_NAME=STRING3 status=200    
LOGIN=STRING4 status=200

2) My realtime core search (rt-15m) with some enrichment with external csv:

source="Apache_dealers_pays_logs" status=200 OR status=404 | 
eval P_LOGIN_NAME=coalesce(P_LOGIN_NAME,LOGIN) |
chart count OVER P_LOGIN_NAME by status

3) It works flawlessly until no events in past 15 minutes present by P_LOGIN_NAME. I tried to avoid it by csv with all P_LOGIN_NAME:

source="Apache_dealers_pays_logs" status=200 OR status=404  | 
eval P_LOGIN_NAME=coalesce(P_LOGIN_NAME,LOGIN) |
chart count OVER P_LOGIN_NAME by status | 
JOIN type=outer P_LOGIN_NAME [ | inputcsv PLATEZHI_KASSY_Description.csv | table P_LOGIN_NAME ]

4)
First trouble: I still didn't see joined rows with empty fields.
Second trouble: I did not know, how it will be work in rt search.

Tags (2)
0 Karma
Reply

ayme
Splunk Employee
Splunk Employee
‎10-18-2013 02:58 AM

Appending lookups doesn't work with RT as you say I think. The only thing I think I can suggest is that every 15 minutes you inject the list of all the P_LOGIN_NAMEs into Splunk (you can use a scheduled search and pump it into a summary Index). Then you're RT search would be:

(source="Apache_dealers_pays_logs" status=200 OR status=404) OR (index=my_summary_users_list_index) | 
eval P_LOGIN_NAME=coalesce(P_LOGIN_NAME,LOGIN) | eval status=if(isnull(status),"n/a",status) | chart dc(sourcetype) over P_LOGIN_NAME by status
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...