I cannot login directly to the Splunk server, only to the application. Is the "btool" command line only available from the Enterprise server command line? Is there a search or API call that I can make to get the information?           ... View more

Sorry, I was out of the office. I will try this today and let you know. ... View more

Thank you for the advice. Actually it is working now for me with your original search query. I'm not sure if I was doing something wrong but it works for me and already setup the alerts. ... View more

Thanks but I'm still getting results..... it does not matter the case..... I should get NO results because "Exception" is NOT missing. Try it yourself please and you will see..... find a word that is on every log during the time span analyzed. Then do the query to see if you get a result if that word is missing........ ... View more

This is not working.... I've tried a word that shows up on every JAVA app SystemOut.log like "Exception" and that search query shows me everything but "Exceptions" on the search results. What I will like is a query that should only show any results if the word "Exceptions" is missing. Here is the result of your suggested query: index=xxxhub host="xxxxx" source=/logs/SystemOut.log |eval x= if(match(_raw,"exceptions"), 1,0)| eventstats sum(x) as sum| where sum=0 Results I only pasted a few lines but it's full of results..... I should see NO results because the word "Exception" is NOT missing but appears multiple times.... Again, I want to see results if the "word" is missing from the log. [5/21/19 13:03:08:696 PDT] 0000010d SAMLDefaultLo I org.springframework.security.saml.log.SAMLDefaultLogger log AuthNRequest;SUCCESS; xx.00.00.103;xxxx.com;;; host = xxxxx.com source = /logs/SystemOut.log sourcetype = sysout 5/21/19 1:03:07.411 PM [5/21/19 13:03:07:411 PDT] 000000fe LoggingOutInt I org.apache.cxf.interceptor.LoggingOutInterceptor Outbound Message ID: 25179 Response-Code: 200 Content-Type: application/xml;charset=UTF-8 Show all 8 lines ... View more