cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
taylormc2305
New Member
Member since: ‎10-16-2013
‎06-05-2020
Community Statistics
Posts 5
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎10-16-2013
Activity Feed
View All

Re: Reporting zero results for hosts

by in Knowledge Management
‎11-25-2013 07:46 AM
‎11-25-2013 07:46 AM
I think perhaps I should withdraw this query - though I could hardly object if someone came up with a brilliant idea! Thanks to those who have replied, and to those who may have given it a passing though ... View more

Re: Reporting zero results for hosts

by in Knowledge Management
‎11-25-2013 07:46 AM
‎11-25-2013 07:46 AM
Thanks, I can see your point, and indeed we have a search that does more or less the same thing. Ideally, though, I'm looking to incorporate the "zero" entries into the final report - though the more I think about it, the more I fear that in order to do that, I would have to cycle though every host on the system in order to generate a summary record for each host - which would mean running the same subsearch (as it might be) a couple of hundred times! Not sure how far search acceleration would help me there :-(. ... View more

Re: Reporting zero results for hosts

by in Knowledge Management
‎11-25-2013 04:05 AM
‎11-25-2013 04:05 AM
That depends, I am sure, on how the search is formulated. This is the question I am asking. ... View more

Reporting zero results for hosts

by in Knowledge Management
‎11-25-2013 03:19 AM
‎11-25-2013 03:19 AM
We have a search that runs overnight, updating a summary index for reporting the following day, as follows. tag::eventtype="failure" tag:: eventtype="authentication" tag::eventtype="user" | stats count by host The daytime search reads: index=xx-summary earliest=-2w@w1 latest=-1d search name="overnight-search-name" | eval date=time | convert timeformat="%d-%b-%Y" ctime(date) | stats sum(count) by _time date | fields - _time This search provides input to a report which graphs the results over the given period. Now, as the overnight search searches for authentication events, obviously it does not produce results for hosts which have no such events; and the result is that if there are no authentication failures overnight, there are no stats for any host, and consequently no entry (rather than a zero entry) for that date in the final report. The result is that we have a blank patch in the report which may require investigation to confirm that there were in fact no authentication failures, rather than it being due to e.g. a Splunk collector failure. What I would like to do is to arrange that a day with no authentication failures should be reported by a zero entry for that day, rather than no entry. I'd be grateful for any ideas on how to achieve this. Could I somehow cycle through all hosts using "metadata=hosts"? ... View more

Re: Add a comment to a search?

by in Splunk Search
‎10-16-2013 08:14 AM
‎10-16-2013 08:14 AM
As an argument to the search, add e.g. NOT xcomment="This is a comment" where no field named "xcomment" exists. Comments can be added further down the search by inserting a further "search" command. Not sure of the performance impact, but it should be small, as it just involves testing for the existence in the data of a field named e.g. xcomment. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM