Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to search a log if a match hasn't been seen in 24 hours?

weddi_eddy
Explorer
‎09-14-2022 12:05 PM

I currently have a lookup that contains two columns. Hostnames and Location.  I can use the following formula to search for squirrel in all hostnames in this lookup:

"squirrel" [| inputlookup mylookup.csv | fields MY_Hostname | rename MY_Hostname as host]

What I would like to do is to set up an alert where for each hostname in My_Hostname, Splunk will look for "squirrel". If the Number of Results found is equal to 0 (meaning that the squirrel log was not created) in a 24 hour period, I would like an email sent out with that hostname in the email.

I know I can set it up with all hostnames from the lookup, but the issue I see is that if hostname_1 has "squirrel" and hostname_4 does not, it will be greater than 0.

I effectively want to know if an application is not running and which host it is not running on. The application will generate "squirrel" at least once in a 24 hour period. (If you don't like squirrels, you can insert your animal of choice here).

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎09-14-2022 04:15 PM

Proving negatives is a common question here. The basic solution is to do this

"squirrel" [| inputlookup mylookup.csv | fields MY_Hostname | rename MY_Hostname as host]
| stats count by host
| append [
  | inputlookup mylookup.csv 
  | fields MY_Hostname 
  | rename MY_Hostname as host
  | eval count=0
]
| stats max(count) as count by host
| where count=0

so, you're just counting the hosts that DO have data, then appending all the hosts with a count  of 0  and then aggregating all the hosts and filtering out those hosts who did have data.

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎09-14-2022 04:15 PM

Proving negatives is a common question here. The basic solution is to do this

"squirrel" [| inputlookup mylookup.csv | fields MY_Hostname | rename MY_Hostname as host]
| stats count by host
| append [
  | inputlookup mylookup.csv 
  | fields MY_Hostname 
  | rename MY_Hostname as host
  | eval count=0
]
| stats max(count) as count by host
| where count=0

so, you're just counting the hosts that DO have data, then appending all the hosts with a count  of 0  and then aggregating all the hosts and filtering out those hosts who did have data.

 

0 Karma
Reply
Solved! Jump to solution

weddi_eddy
Explorer
‎09-15-2022 11:03 AM

Thanks so much! Had a few typos at first but this worked as intended!

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...