Splunk Search

how to search on multiple key/value

splunkhan
New Member

"Log was backed up. Database: <abc>" host=<xyz>

I currently have multiple alerts - one for each database / server. There must be a better way to perform the following search Where I have multiple multiple hosts containing multiple databases and to alert when an individual database has zero events within a 60 minute window?

This seems very cumbersome, and I don't know how to set up alert to capture the database / server when no events are occurring.

"Log was backed up. " Database: <abc_1> OR Database: <abc_2> host=<xyz_1> OR host=<xyz_1> OR host=<xyz_2>

Tags (1)
0 Karma
1 Solution

somesoni2
Revered Legend

One way of doing this is to have those servers/databases in a lookup and then use that lookup in your search to see which lookup row (host-database combination) has data.
Something like this (assuming field database is already extracted)

|inputlookup hostdatabase.csv | search NOT [ search "Log was backed up. " | stats count by host database | table host database  ] 

Try this if database field is not extracted

|inputlookup hostdatabase.csv | search NOT [ search "Log was backed up. " | rex "Log was backed up\.\s+(?<database>\S+)" | stats count by host database | table host database  ] 

View solution in original post

0 Karma

somesoni2
Revered Legend

One way of doing this is to have those servers/databases in a lookup and then use that lookup in your search to see which lookup row (host-database combination) has data.
Something like this (assuming field database is already extracted)

|inputlookup hostdatabase.csv | search NOT [ search "Log was backed up. " | stats count by host database | table host database  ] 

Try this if database field is not extracted

|inputlookup hostdatabase.csv | search NOT [ search "Log was backed up. " | rex "Log was backed up\.\s+(?<database>\S+)" | stats count by host database | table host database  ] 
0 Karma

splunkhan
New Member

This solution works as expected! Thank you!

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>