I am new to splunk , can someone please help me on below case
my log looks like this:
Name="ABCD"
Config Name="XYZ"
Count_of_Date_Chunks="2"
Dates_1="2017-01-01,2017-01-02,2017-01-03,2017-01-05,2017-01-07"
Dates_2="2016-01-01,2016-01-02,2016-01-03,2016-01-05,2016-01-07"
Count_of_Missing_Date_Chunks="2"
Missing_dates_1="2017-01-04,2017-01-06"
Missing_dates_2="2016-01-01,2016-02-06"
Msg="SUCCESS" or "FAIL"
I have a lookup file with configuration names , what I have to do is, if I found a log for the Config , it need to marked as found or else not found and then I have to count the Missing_dates (need to consider Missing_dates_1 , Missing_dates_2 , it's dynamic and based on the field Count_of_Missing_Date_Chunks ) count and display as table .
As of now, I have the query for non-dynamic Chunks without lookup file, can someone please help me to form the Splunk query for Dynamic chunks and file lookup. in this below query i am counting based on comma as a delimiter
| where Msg="SUCCESS"
| eval count_of_missing_dates = mvcount(split(missing_dates, ","))
| table Name Config count_of_missing_dates Msg
CSV file has in below format
Config_name
XYZ
PQR
AAA
the Final table will have-- Name , Config , count_of_missing_dates , Msg , Event_Status (Found/not Found from look up)
... View more