Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About Bennette
Bennette
Explorer
Member since:
03-14-2022
03-15-2022
Community Statistics
| Posts | 8 |
| Solutions | 0 |
| Karma Given | 2 |
| Karma Received | 1 |
| Member Since | 03-14-2022 |
Activity Feed
- Posted Re: How do I find which item is missing from a static list? on Splunk Search. 03-15-2022 10:44 AM
- Posted How do I find which item is missing from a static list? on Splunk Search. 03-15-2022 08:49 AM
- Tagged How do I find which item is missing from a static list? on Splunk Search. 03-15-2022 08:49 AM
- Tagged How do I find which item is missing from a static list? on Splunk Search. 03-15-2022 08:49 AM
- Tagged How do I find which item is missing from a static list? on Splunk Search. 03-15-2022 08:49 AM
- Got Karma for Re: Why won't my dataset literals parse?. 03-15-2022 08:34 AM
- Posted Re: Why won't my dataset literals parse? on Splunk Search. 03-15-2022 08:29 AM
- Karma Re: Why won't my dataset literals parse? for richgalloway. 03-15-2022 08:24 AM
- Posted Re: Why won't my dataset literals parse? on Splunk Search. 03-15-2022 08:02 AM
- Posted Re: Why won't my dataset literals parse? on Splunk Search. 03-15-2022 07:31 AM
- Posted Re: Why won't my dataset literals parse? on Splunk Search. 03-15-2022 06:47 AM
- Karma Re: Why won't my dataset literals parse? for richgalloway. 03-15-2022 06:47 AM
- Posted Re: How do I create a regex for the following? Too long for field extractor on Splunk Search. 03-14-2022 02:52 PM
- Posted Why won't my dataset literals parse? on Splunk Search. 03-14-2022 02:41 PM
- Tagged Why won't my dataset literals parse? on Splunk Search. 03-14-2022 02:41 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 |
03-15-2022
10:44 AM
I may have solved this. The search | makeresults | eval <fieldname> = split(<list as string>,<delimiter>) | mvexpand <fieldname> | search ... generates the static "dataset literal" I need, to which I can append the NOT condition to filter out the log entries seen, leaving behind the ones that are missing. Would still appreciate any better solutions you might have for this.
... View more
03-15-2022
08:49 AM
We log job status messages in splunk. When a job runs successfully, a success message is logged. When a job errors out, an error message is logged. Both types of messages include hostname as a field. But when the underlying service fails to run a job, no message is logged.
I need to find hostnames that are missing success messages. If I could use dataset literals, I might search something like this:
| FROM <list of expected hostnames as dataset literal> NOT [subsearch for success message hostnames]
But Splunk Cloud Platform apparently does not support the use of dataset literals, so I've resorted to a more convoluted process using stats, as suggested by several Internet authors:
<search for success message hostnames> | eval expected = split("<list of expected hostnames>"," ") | stats values(hostname) as hostname by expected | where NOT match (hostname,expected)
This approach works if some, but not all, expected hostnames are missing. However, in the case where all the expected hostnames are missing the search comes back empty. I understand why it comes back empty. What I need is a "correct" way to find these missing hostnames that will work in all cases.
... View more
03-15-2022
08:29 AM
1 Karma
So based on the documentation you referenced, it sounds as though dataset literals are simply not supported in SC. That's too bad, because it offered a nice solution to my root problem, which involves which item from a static list is missing in the response from a subsearch. I'll pose that question in a separate posting. Thanks, @richgalloway
... View more
03-15-2022
07:31 AM
https://docs.splunk.com/Documentation/SCS/current/Search/Datasetliterals
... View more
03-15-2022
06:47 AM
I wish it were that simple - that's just the sort of thing I might have missed. But in this case, even after adding the pipe, I still get the same error. This is being run in splunkcloud rather than on-prem. I'm new enough at this so as not to appreciate the difference, or even know if splunkcloud uses SPL or SPL2. Could that explain this behavior?
... View more
03-14-2022
02:52 PM
You say "I think these events are too long for me to use the field extractor," so apparently you've tried some things and they failed. Your events don't seem overly long to me. Can you show us what you tried and how it failed? What messages, partial results, or errors did you receive?
... View more
03-14-2022
02:41 PM
In the documentation on dataset literals there is an example query:
FROM
[
{ state: "Washington", abbreviation: "WA", population: 7535591 },
{ state: "California", abbreviation: "CA", population: 39557045 },
{ state: "Oregon", abbreviation: "OR", population: 4190714 }
]
WHERE population > 5000000 SELECT state
If I try to run this or any other query with a dataset literal I get an error:
Error in 'SearchParser': Missing a search command before '{'. Error at position '26' of search query 'search FROM [ { state: "Washington", a'.
Any idea why? Thanks.
... View more
- Tags:
- dataset literals
Labels
- Labels:
-
other
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
03-15-2022
02:04 PM
|
