Hi, I'm pretty new in splunk, I've been reading a lot of documentation and other questions here, but I don't find the help that I need.
I have this search, every day is a left join like this:
index=myIndex sourcetype=mySource
| eval weekday=strftime(_time,"%A")
| where weekday = "Monday"
| where Systems= "SYSTEM 1" OR "SYSTEM 2" OR "SYSTEM 3" OR "SYSTEM 4"
| eval ExpectedTime = case(
System="SYSTEM 1", "6:30am",
System="SYSTEM 2", "6:35am",
System="SYSTEM 3", "6:45am",
System="SYSTEM 4", "6:40am"
)
| eval CurrentSLO= case(
System="SYSTEM 1", "7:15am",
System="SYSTEM 2", "7:20am",
System="SYSTEM 3", "7:10am",
System="SYSTEM 4", "7:10am"
)
| eval EndHour=substr(time, 50, 1)
| eval EndMin=substr(time, 52, 2)
| eval time = EndHour.":".EndMin
| eval Mon = " (" .EndHour. ":" .EndMin. "am)"
| eval category="CATEGORY 1"
| table category Systems ExpectedTime CurrentSLO Mon Tue Wed Thu Fri
| rename ExpectedTime as "Expected Time"
| rename CurrentSLO as "Current SLO"
| rename category as "Category"
| join type=left Systems
[ search index=myIndex sourcetype=mySource
| eval weekday=strftime(_time,"%A")
| where weekday = "Tusday"
| where Systems= "SYSTEM 1" OR "SYSTEM 2" OR "SYSTEM 3" OR "SYSTEM 4"
| eval ExpectedTime = case(
System="SYSTEM 1", "6:30am",
System="SYSTEM 2", "6:35am",
System="SYSTEM 3", "6:45am",
System="SYSTEM 4", "6:40am"
)
| eval CurrentSLO= case(
System="SYSTEM 1", "7:15am",
System="SYSTEM 2", "7:20am",
System="SYSTEM 3", "7:10am",
System="SYSTEM 4", "7:10am"
)
| eval EndHour=substr(time, 50, 1)
| eval EndMin=substr(time, 52, 2)
| eval time = EndHour.":".EndMin
| eval Tue = " (" .EndHour. ":" .EndMin. "am)"
| eval category="CATEGORY 1"
| table category Systems ExpectedTime CurrentSLO Mon Tue Wed Thu Fri
| rename ExpectedTime as "Expected Time"
| rename CurrentSLO as "Current SLO"
| rename category as "Category"
.
.
.
I need to trigger an alert when there is no information for a day of the week. I've been trying whit search count=0, transaction and other failed solution attempts.
... View more