cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
nnkreddy
Engager
Member since: ‎01-23-2024
‎01-23-2024
Community Statistics
Posts 2
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎01-23-2024
Activity Feed
Topics I've Started
View All

Re: Listing sources not having a match

by in Splunk Search
‎01-23-2024 08:57 AM
‎01-23-2024 08:57 AM
Hi @gcusello, Option 1 is the smart solution without complicating it - its working perfectly fine! Thanks for the help.  ... View more

Listing sources not having a match

by in Splunk Search
‎01-23-2024 06:39 AM
‎01-23-2024 06:39 AM
Hello, I've a simple requirement but new to Splunk so facing some challenges and hoping for some luck! My application writes HEARTBEAT messages every 2 min to log files to multiple sources. I'm just trying to create an alert and send email if heartbeat messages aren't written in last 5 min.  It may look simple but I also need to know which sources doesn't have heartbeat messages.  I've tried with below query which works but sometimes giving me incorrect results. So, looking for an better and simple solution.   index = index1 earliest=-5m latest=now source IN (dev-*api.log) ("testapi" AND "HEARTBEAT") | fields source | append [ search index = index1 earliest=-2w@w0 latest=now source IN (dev-*api.log) ("testapi" AND "HEARTBEAT") | stats dc(source) as source_list by source | fields source ] | rex field=_raw "HEARTBEAT for (?<APIName>.*).jar (?<Version>.*)" | stats count as #heartbeats, latest(Version) as Versions by APIName, JVM | eval Status=case(('#heartbeats' <= 1 OR isnull('#heartbeats')), "NOT RUNNING", '#heartbeats' > 1, "RUNNING") | table APIName, Versions, Status   Appreciate the help! Thanks. ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎01-23-2024 01:43 PM
Karma given to
View All