Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

return events that not match

indeed_2000
Motivator
‎10-30-2021 11:02 PM

Hi
I have field that call "servername" that return this:
...| table servername
server1
server2
server3


need spl that when I give list of my servername, return which servername not exist

expected output:
...|search server1 OR server2 OR server3 OR server4 | table servername status

servername    status
server4                X

 

any idea?

Thanks

Labels (4)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-31-2021 01:46 AM

Splunk on its own only passes returned data past the pipe. It has no  idea what the search was. So it doesn't matter if you were searching for just 3 hosts or for 4 and one just wasn't there. You simply get your resulting events.

So if you want to have stats for non-existing entities (servername in your case) you have to prepare "baseline" values append them to original results and combine them together

<your search> 
| append
 [ | inputlookup baseline.csv ]
| stats values(status) by servername
| eval status=if(mvcount(status)=1,status,mvfilter(status!="X"))

 

0 Karma
Reply

indeed_2000
Motivator
‎10-31-2021 06:57 AM

is it possibe do this without csv file?

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-31-2021 09:55 AM

Sure. You can use search through earlier events (question is - do you have all servers there), you can craft them by hand (not very convenient if the number of servers grow). It's just that lookup is easiest to use.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-31-2021 01:34 AM

This is a classic case of wanting splunk to make stuff up!

If the event doesn't exist, how does splunk know what to return?

Answer, you need to tell it!

This is often done by getting the events from another source, either a lookup file e.g. csv file/store or a different search e.g. over a different time period, then combining this with the original search and looking for events which occur in one search and not in the other.

0 Karma
Reply

indeed_2000
Motivator
‎10-31-2021 06:58 AM

is it possible to do this without csv file?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-31-2021 08:02 AM

Yes, as I suggested, a different search might be used to return all the server names, assuming you have the events indexed, or you could use makeresults to generate a set of events with the server names you are looking for.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...