Splunk Search

return events that not match

indeed_2000
Motivator

Hi
I have field that call "servername" that return this:
...| table servername
server1
server2
server3


need spl that when I give list of my servername, return which servername not exist

expected output:
...|search server1 OR server2 OR server3 OR server4 | table servername status

servername    status
server4                X

 

any idea?

Thanks

Labels (4)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

Splunk on its own only passes returned data past the pipe. It has no  idea what the search was. So it doesn't matter if you were searching for just 3 hosts or for 4 and one just wasn't there. You simply get your resulting events.

So if you want to have stats for non-existing entities (servername in your case) you have to prepare "baseline" values append them to original results and combine them together

<your search> 
| append
[ | inputlookup baseline.csv ]
| stats values(status) by servername
| eval status=if(mvcount(status)=1,status,mvfilter(status!="X"))

 

0 Karma

indeed_2000
Motivator

is it possibe do this without csv file?

 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Sure. You can use search through earlier events (question is - do you have all servers there), you can craft them by hand (not very convenient if the number of servers grow). It's just that lookup is easiest to use.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

This is a classic case of wanting splunk to make stuff up!

If the event doesn't exist, how does splunk know what to return?

Answer, you need to tell it!

This is often done by getting the events from another source, either a lookup file e.g. csv file/store or a different search e.g. over a different time period, then combining this with the original search and looking for events which occur in one search and not in the other.

0 Karma

indeed_2000
Motivator

is it possible to do this without csv file?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Yes, as I suggested, a different search might be used to return all the server names, assuming you have the events indexed, or you could use makeresults to generate a set of events with the server names you are looking for.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...

SplunkTrust | 2024 SplunkTrust Application Period is Open!

It's that time again, folks! That's right, the application/nomination period for the 2024 SplunkTrust is ...