I have a subsearch returning all files imported per client as the value "Client_File". It's value will look like ABC_File1. Based on what is returned in this first search, I have second part of the search to look if files were missed, and if that value is not returned I want it to write a message to the table being returned. Below is the search I have so far but it is not returning the missed files correctly. | append [ search source=importhelpers Moved earliest=-25h@h | eval time=strftime(round(strptime(file_Time, "%I:%M:%S %P")), "%H:%M:%S") | eval Client_File = ClientID + "_" + FileImported ] | eval time=strftime(now(), "%H:%M:%S") | eval dow=strftime(strptime(file_Date, "%m/%d/%Y"), "%A") | eval MissedFiles = case(Client_File!="ABC_File1" AND time>"12:25:00" AND dow!="Sunday" AND dow!="Saturday", "ABC Missed File1 File. It was expected by 12:25:00", Client_File!="ABC_File2" AND time>"12:25:00" AND dow!="Sunday" AND dow!="Saturday", "ABC Missed File2 File. It was expected by 12:25:00", Client_File!="ABC_File3" AND time>"12:25:00" AND dow!="Sunday" AND dow!="Saturday", "ABC Missed File3 File. It was expected by 12:25:00") | where isnotnull(MissedFiles) | rename MissedFiles as "Missed Files Message Alert" | table "Missed Files Message Alert" ... View more

I need to run a search at 8 am, 3 pm, and 11:50 pm and the following cron is not working: 8,15,50 23 *** What does it need to be to run the search at those times every day? ... View more

I have an index that is populated by and extensive, long running query that creates a line like "Client1 Export1 Missed. Expected Time: 06:15:00". I have another index that is populated with fields to be over written and not appear in report. So if this above file needs to not show up I have the information of "Client1" and "Export1" I am looking for a way to search for all results in point 2 (the ones to not include) and exclude them in point 1. Something like this: | where "Missed Exports Message Alert" NOT in [ search sourcetype="si_Export_FileMissed" earliest=-24h@h | eval clearExport = ClientID + " " + ExportType | table clearExport ] How do you use NOT in as this is not working as I expect. Another way to ask this question, is how to exclude results from a subsearch from the overall search? ... View more

I have events that only time stamp is the Splunk generated _time and I only need to return events after a certain date, 3/22/2018. Simply adding "Where _time > 3/22/2018" does not work and I have attempted converting _time and comparing against that to no avail. Any suggestions? ... View more

I have the following Field named FileImported that is formatted the following way: text_text_NEEDED EXTRACTION_text An example of FileImported is: 22_ABC_FileID1564_Export And I want "FileID1564" as a field named "Export" from the existing Fileimported field. I have attempted Regex myself, but am not as experienced in it to get it working. What would be the regex needed to extract what I need based on the FileImported field format? ... View more

I have four searches that my end user wants all in one .CSV file, but each result set on a different sheet, not all together. Is there a way to accomplish this in Splunk without having to send each search in a different email/file? For reference: I have the Splunk Excel Export app installed, but do not see this functionality. ... View more

My goal for this search is to find if a file was not imported. If the file is imported "Could not find a file in the" text will be present. If the file is imported, "Moved" text will be present. Our system looks to import the file consistantly. So, at 07:30:00 the file may be imported so "Moved" will appear in the log file. But at 08:00:00 the system will look to import the file, but since there is nothing to import (because it was imported at 07:30:00) "Could not file the file in the" will be written to the log. I am trying to write a search that if "Moved" is present then I do not even want to know the count of "Could not find the file in the". However, if "Moved" is never found in the log file during the specified time frame, then I do want to run a search and find all instances of "Could not find the file in the". So in short, I am seeking help of writing a search that does not include false negatives. Below is the search I have put together. I attemped to search for the expected files and find a count. Then in the second query, if the count was less than expected (so I did not find the number of imported files as expected), then I would look for "Could not find the file in the", the files that were not found. This search is not working as I have found I can not pass a count's value into a sub-search/second query. So "FilesImported" from the first query does not have the value I expect in the second query's "WHERE" clause. I have shortened the query for just two instances of a customers (instead of all 20+) as each customer has different files that are to be imported at different times on different days. source=*D:\\redacted\\redacted* source=*IH_Daily\\redacted* Moved earliest=-48h@h | eval dayBuffer=strftime(now(), "%d") | eval day=ltrim(tostring(dayBuffer),"0") | eval todayBuffer=strftime(now(), "%m_"+day+"_%Y") | eval today=ltrim(tostring(todayBuffer),"0") | where like(source,"%10_19_2017%") | eval time=strftime(round(strptime(file_Time, "%I:%M:%S %P")), "%H:%M:%S") | eval dow=strftime(strptime(file_Date, "%m/%d/%Y"), "%A") | rex field=source "redacted\\\+(?<ClientID>[^\\\]+)" | where ClientID="$clientID$" | where (like(source,"%"."client1"."%") AND (dow!="Sunday" AND dow!="Monday") AND (time>"07:27:00" AND time<"08:27:00") AND (FileImported="file1") OR (like(source,"%"."client2"."%")) AND (FilesImported!=2) AND (dow!="Sunday" AND dow!="Tuesday") AND (time>"09:00:00"AND time<"11:30:00") AND ((FileImported="file1") OR (FileImported="file2") OR (FileImported="file3")))) | stats count as FilesImported | append [ search source=*D:\\redacted\\redacted* source=*IH_Daily\\redacted* ("Could not find a file in the") earliest=-48h@h | eval dayBuffer=strftime(now(), "%d") | eval day=ltrim(tostring(dayBuffer),"0") | eval todayBuffer=strftime(now(), "%m_"+day+"_%Y") | eval today=ltrim(tostring(todayBuffer),"0") | where like(source,"%10_19_2017%") | eval time=strftime(round(strptime(file_Time, "%I:%M:%S %P")), "%H:%M:%S") | eval dow=strftime(strptime(file_Date, "%m/%d/%Y"), "%A") | rex field=source "redacted\\\+(?<ClientID>[^\\\]+)" | where ClientID="$clientID$" | where ((like(source,"%"."client1"."%")) AND (FilesImported<1) AND (dow!="Sunday" AND dow!="Monday") AND (time>"07:27:00"AND time<"08:27:00") AND (file_Missing="file1") OR (like(source,"%"."client2"."%")) AND (FilesImported!<3) AND (dow!="Sunday" AND dow!="Tuesday") AND (time>"09:00:00"AND time<"11:30:00") AND ((file_Missing="file1") OR (file_Missing="file2") OR (file_Missing="file3"))) | stats count as "File Missed" ] |table "File Missed" ... View more

Each search below gathers data via SQL Queries from 3 different databases on 3 different servers. I have combined them into one with the hope to return the "totalerrors" and "ClientID" associated with those errors in one final table at the bottom. So it would look like: totalerrors | ClientID 0 | abc 3 | def 5 | ghi As of right now, the search below only returns the first searches data. So, I am only retrieving: totalerrors | ClientID 0 | abc Any suggestions on how to return the data from each sub-search query into one final table, all together? | dbxquery query="SELECT count(*) as totalerrors, 'abc' as ClientID FROM \"CM126abc\".\"dbo\".\"table1\" (NOLOCK) WHERE PROCESSEDFLAG = 'N' and ADDEDDT>DATEADD(hour, -24, GETDATE())" connection="126" | fields totalerrors, ClientID | appendcols [dbxquery query="SELECT count(*) as totalerrors, 'def' as ClientID FROM \"CM126def\".\"dbo\".\"table2\" WHERE PROCESSEDFLAG = 'N' and ADDEDDT >DATEADD(hour, -24, GETDATE())" connection="126" | fields totalerrors, ClientID ] | appendcols [dbxquery query="SELECT count(*) as totalerrors, 'ghi' as ClientID FROM \"CM126ghi\".\"dbo\".\"table3\" WHERE PROCESSEDFLAG = 'N' and ADDEDDT >DATEADD(hour, -24, GETDATE())" connection="126" | fields totalerrors, ClientID] | table UnprocessedVendorCAs, ClientID ... View more

I want to use the count from the first search "FilesImported" as criteria in the where clause of the subsearch. FilesImported is 0 and "File Missed" needs to be 1, but "File Missed" is currently returning 0 which shows me that the subsearch Where Clause is not working as I expected. So, how does one use the count of the first search as criteria in the Where Clause of the subsearch? source=*D:\\gfd\\import* source=*Daily\\Debug* Moved earliest=-36h@h | eval time=strftime(round(strptime(file_Time, "%I:%M:%S %P")), "%H:%M:%S") | eval dow=strftime(strptime(file_Date, "%m/%d/%Y"), "%A") | rex field=source "importhelpers\\\+(?<ClientID>[^\\\]+)" | where ClientID="NAB" | where (like(source,"%"."NAB"."%") AND (dow!="Sunday" AND dow!="Monday") AND (time>"07:57:00" AND time<"08:27:00") AND FileImported="Record") | stats count as FilesImported | appendcols [ search source=*D:\\gfd\\import* source=*Daily\\Debug* "Could not find a file in the" OR Moved earliest=-36h@h | eval time=strftime(round(strptime(file_Time, "%I:%M:%S %P")), "%H:%M:%S") | eval dow=strftime(strptime(file_Date, "%m/%d/%Y"), "%A") | rex field=source "importhelpers\\\+(?<ClientID>[^\\\]+)" | where ClientID="NAB" | where ((like(source,"%"."NAB"."%") AND FilesImported!=1) AND (dow!="Sunday" AND dow!="Monday") AND (time>"07:27:00"AND time<"08:27:00") AND (file_Missing="Position")) | stats count as "File Missed" ] | table "File Missed" ... View more