Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to search on multiple key/value

splunkhan
New Member
‎04-02-2019 11:49 PM

"Log was backed up. Database: <abc>" host=<xyz>

I currently have multiple alerts - one for each database / server. There must be a better way to perform the following search Where I have multiple multiple hosts containing multiple databases and to alert when an individual database has zero events within a 60 minute window?

This seems very cumbersome, and I don't know how to set up alert to capture the database / server when no events are occurring.

"Log was backed up. " Database: <abc_1> OR Database: <abc_2> host=<xyz_1> OR host=<xyz_1> OR host=<xyz_2>

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎04-03-2019 07:25 AM

One way of doing this is to have those servers/databases in a lookup and then use that lookup in your search to see which lookup row (host-database combination) has data.
Something like this (assuming field database is already extracted)

|inputlookup hostdatabase.csv | search NOT [ search "Log was backed up. " | stats count by host database | table host database  ]

Try this if database field is not extracted

|inputlookup hostdatabase.csv | search NOT [ search "Log was backed up. " | rex "Log was backed up\.\s+(?<database>\S+)" | stats count by host database | table host database  ]

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎04-03-2019 07:25 AM

One way of doing this is to have those servers/databases in a lookup and then use that lookup in your search to see which lookup row (host-database combination) has data.
Something like this (assuming field database is already extracted)

|inputlookup hostdatabase.csv | search NOT [ search "Log was backed up. " | stats count by host database | table host database  ]

Try this if database field is not extracted

|inputlookup hostdatabase.csv | search NOT [ search "Log was backed up. " | rex "Log was backed up\.\s+(?<database>\S+)" | stats count by host database | table host database  ]
0 Karma
Reply
Solved! Jump to solution

splunkhan
New Member
‎04-03-2019 11:28 PM

This solution works as expected! Thank you!

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...