Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

search for a string in field , if not there then trigger alert with remaining data in fields

kirrusk
Communicator
‎09-28-2021 11:40 PM

Hi,

I want to check for a string in the field, but if the string is not found in the field then need to print the remaining data. (last 15 mins data)

for example,

Field1      Field2             
9/2/10   successful
9/2/10   creating the file
9/2/10   created

from the above table, I want to check the Field2 for the last 15mins for string "successful", if no string is found in Field2 with "successful", Then need to trigger an alert with the remaining data like below.


Field1      Field2 
9/2/10   creating the file
9/2/10   created

is this possbile in splunk.

Labels (5)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-28-2021 11:58 PM

Hi @kirrusk,

let me understand:

  • your need is a two phases check:
    • check if in Field2 there's the string "Successful",
    • then display the values of the Field2 field below "Successful"

Is this correct?

If this is your need, please try something like this:

index=your_index ield2=*
| transaction startswith="Successful"
| mvexpand field2
| search field2!="Successful"
| table _time field2

if the number of events after "Successful" is fixes (e.g. always 2), you could be more precise adding an option to the transaction command "maxevents=2".

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-28-2021 11:58 PM

Hi @kirrusk,

let me understand:

  • your need is a two phases check:
    • check if in Field2 there's the string "Successful",
    • then display the values of the Field2 field below "Successful"

Is this correct?

If this is your need, please try something like this:

index=your_index ield2=*
| transaction startswith="Successful"
| mvexpand field2
| search field2!="Successful"
| table _time field2

if the number of events after "Successful" is fixes (e.g. always 2), you could be more precise adding an option to the transaction command "maxevents=2".

Ciao.

Giuseppe

Reply
Solved! Jump to solution

kirrusk
Communicator
‎09-29-2021 12:30 AM

@gcusello 

@gcusello 
Thank you, but my intention is to trigger an alert with the remaining data in Field2.
if there is no string("Successful") at all in Field2.

sample alert,

no log found for successful, Please find logs

Field1             Field2
9/2/10         creating the file
9/2/10         created

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-29-2021 01:57 AM 
index=your_index Field2=*
| eval check=if(Field2="Successful","Yes",null())
| eventstats values(check) AS check
| where isnull(check)
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-29-2021 12:48 AM

Hi @kirrusk,

ok, please try something like this:

index=your_index field2=*
| eval check=if(field2="Successful","Yes","No")
| stats values(EventCode) AS EventCode values(check) AS check dc(check) AS dc_check earliest(_time) AS _time
| search dc_check=1 check=No
| mvexpand field2
| table _time field2

in this way, you check if in your logs there's the "Successful" string:

  • if present, there's no result in the search,
  • if not present, it displays all the field2 values.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...