×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
wkelsey
Explorer
Member since: ‎01-10-2020
‎06-05-2020
Community Statistics
Posts 7
Solutions 0
Karma Given 2
Karma Received 0
Member Since ‎01-10-2020
Activity Feed
View All

Re: How to find missing values from a field

by in Splunk Search
‎01-13-2020 02:04 PM
‎01-13-2020 02:04 PM
Excellent, thank you! ... View more

Re: How to find missing values from a field

by in Splunk Search
‎01-13-2020 01:46 PM
‎01-13-2020 01:46 PM
The revised answer is not what I need, sorry. Here is some example data, the only results given should be "C", "X" and "Y" | makeresults | eval exp_val="A B C" | eval re_val = "" | appendpipe [| eval exp_val="X Y Z" | eval re_val="" | appendpipe [| eval exp_val="" | eval re_val="A" | appendpipe [| eval exp_val="" | eval re_val="B" | appendpipe [| eval exp_val="" | eval re_val="D" | appendpipe [| eval exp_val="" | eval re_val="Z"]]]]] ... View more

Re: How to find missing values from a field

by in Splunk Search
‎01-13-2020 12:01 PM
‎01-13-2020 12:01 PM
Thanks for the help! This is closer, but not final. The results need to include "C", and nothing else. See the additional information I have given to my questions. ... View more

Re: How to find missing values from a field

by in Splunk Search
‎01-13-2020 10:15 AM
‎01-13-2020 10:15 AM
Here is some example data, the results need to be "C", "X", "Y" | makeresults | eval exp_val="A B C" | eval re_val = "" | appendpipe [| eval exp_val="X Y Z" | eval re_val="" | appendpipe [| eval exp_val="" | eval re_val="A" | appendpipe [| eval exp_val="" | eval re_val="B" | appendpipe [| eval exp_val="" | eval re_val="D" | appendpipe [| eval exp_val="" | eval re_val="Z"]]]]] Thank you! ... View more

Re: How to find missing values from a field

by in Splunk Search
‎01-13-2020 09:51 AM
‎01-13-2020 09:51 AM
I didn't get the correct answers when I used this - but before debugging more, it looks like it will put "D" in the final results? The final result should just be "C" ... View more

Re: How to find missing values from a field

by in Splunk Search
‎01-13-2020 09:35 AM
‎01-13-2020 09:35 AM
In your sample query, the result is includes "D - missing", but I would like the results to include "C - missing" and not any "D - missing". There could be 1000 "re_val"s, we just want to find what is missing from exp_val ... View more

How to find missing values from a field

by in Splunk Search
‎01-10-2020 05:06 PM
‎01-10-2020 05:06 PM
Hi, My database has two data sources. Data source 1 sends a string with a list of expected values, so the field might look like: exp_val="A B C" Data source 2 is sending up independent events each with a value. The database might contain re_val="A", re_val="B", re_val="D" I need Splunk to report that "C" is missing. We should be able to 1 - Split the string into a table 2 - Get all re_val from the database WHICH exist in the split_string_table (to eliminate "D") 3 - diff [split_string_table] [result from 2] But for the life of me I cannot make it work. Below is my current attempt but I've tried about 100 variants to no avail.... eval split_val_list = [ search index="playground1" user="wkelsey" | stats latest(exp_val) as exp_val by cell_name | eval temp=split(exp_val, " ") | mvexpand temp | table temp] | set diff [ search index="playground1" user="wkelsey" | where in(re_val, split_val_list) | table re_val] [ table split_val_list] An alternative command which gives me the exact opposite of what I want index="playground1" user="wkelsey" | stats latest(exp_val) as exp_val | eval temp=split(exp_val, " ") | mvexpand temp | eval matchfield=temp | join matchfield [ search index=playground1 user=wkelsey | stats count by re_val | table re_val | eval matchfield= re_val] | table re_val As a new user to Splunk, I really question why they created a new language... The documentation is poor, SQL seems more powerful, and PHP or Python would give users more efficiency. I'm reading many posts of users spending days on simple searches. Splunk 6.6 ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:03 AM
Karma given to
View All