Hello,
I have some logs arriving into splunk every 5 minutes from a script running on an application server. The final line of logs indicates whether the script is complete or not. and looks something like this:
END :DATA COLLECTED ON 24 February 2015 at 14:41:23
I would like to check with real time if this line is there or not and if it isn't I would like to return a specific value indicating that the line is not there.
Is this possible via an Eval command ?
Regards,
David
This is easy enough.
If you use an eval if statement with a regex that uses match, in the form of :
eval IsPresent=if(match(_raw,"REGEX"), IfPresent, IfNotPresent)
That should work for you, but you'll need to put a regex in.
This is easy enough.
If you use an eval if statement with a regex that uses match, in the form of :
eval IsPresent=if(match(_raw,"REGEX"), IfPresent, IfNotPresent)
That should work for you, but you'll need to put a regex in.
Thank you Mark!
This works in some cases but if there is no results displayed in the search the eval does not add an extra field. I found the answer on how to solve it here :
http://answers.splunk.com/answers/50379/table-message-when-no-results-found.html
No Problem, glad it helped, as a matter of fact I was just reading that thread!
It works on a similar concept, if it can't find it then you could set the msg field where it says IfNotPresent.
Alternatively you could set IfPresent to "Complete" or "Not Completed" and table it, which would then produce a similar result.
All in all, a good result 🙂