Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

return events that not match

indeed_2000
Motivator
‎10-30-2021 11:02 PM

Hi
I have field that call "servername" that return this:
...| table servername
server1
server2
server3


need spl that when I give list of my servername, return which servername not exist

expected output:
...|search server1 OR server2 OR server3 OR server4 | table servername status

servername    status
server4                X

 

any idea?

Thanks

Labels (4)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-31-2021 01:46 AM

Splunk on its own only passes returned data past the pipe. It has no  idea what the search was. So it doesn't matter if you were searching for just 3 hosts or for 4 and one just wasn't there. You simply get your resulting events.

So if you want to have stats for non-existing entities (servername in your case) you have to prepare "baseline" values append them to original results and combine them together

<your search> 
| append
 [ | inputlookup baseline.csv ]
| stats values(status) by servername
| eval status=if(mvcount(status)=1,status,mvfilter(status!="X"))

 

0 Karma
Reply

indeed_2000
Motivator
‎10-31-2021 06:57 AM

is it possibe do this without csv file?

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-31-2021 09:55 AM

Sure. You can use search through earlier events (question is - do you have all servers there), you can craft them by hand (not very convenient if the number of servers grow). It's just that lookup is easiest to use.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-31-2021 01:34 AM

This is a classic case of wanting splunk to make stuff up!

If the event doesn't exist, how does splunk know what to return?

Answer, you need to tell it!

This is often done by getting the events from another source, either a lookup file e.g. csv file/store or a different search e.g. over a different time period, then combining this with the original search and looking for events which occur in one search and not in the other.

0 Karma
Reply

indeed_2000
Motivator
‎10-31-2021 06:58 AM

is it possible to do this without csv file?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-31-2021 08:02 AM

Yes, as I suggested, a different search might be used to return all the server names, assuming you have the events indexed, or you could use makeresults to generate a set of events with the server names you are looking for.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...