Splunk Search

Getting a list or count of events against a list of values - where a value might not have any associated events

Runals
Motivator

I have a list of apps and would like to generate a view that shows what scheduled searches are being run in each. The kicker is if there are no scheduled searches I want to capture that as well. Feeding the list of apps is easy enough via a lookup in a sub search. The challenge is showing the ones that don't have any scheduled searches. I've tried a few combinations of commands but I haven't gotten the results I'm looking for. There has got to be a simple/elegant solution to this that I'm just overlooking. The crux of my search is as follows

index="_internal" sourcetype=scheduler [| inputlookup index_list | fields app] | stats count by app savedsearch_name

One of the challenges I've run into is I'm not simply looking to return a count of scheduled searches per app, I'd like to return the names and some data associated with them as well.

Tags (1)
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try this:-

|inputlookup index_list | field app | join type=left max=0 app [search index=_internal sourcetype=scheduler | stats count by app, savedsearch_name]

Here you can do more stuff in the subsearch, just to ensure that to include "app" field.

0 Karma

Runals
Motivator

Thanks for working on an answer! I started down this path originally but I found because I was potentially bringing back multiple results per app (vs just a count of scheduled searches), when I went to display or otherwise manipulate the query any further I was only seeing the first search in the sub search result set. Perhaps the max=0 bit might have been the piece I was missing though; haven't played with that.

0 Karma

Runals
Motivator

So I came up with a solution that isn't as elegant as I would like but it works. Hopefully someone will come up with something better. The short version is I used a search (with a sub search) to generate a list of apps that didn't have any saved searches, appended that to the query above, alpha sorted the app field, and then used fillnull to fill the holes. I'll adjust my original search based on what I posed above.

index="_internal" source="*scheduler.log" [| inputlookup index_list | search reportable=t splunk_app=* | rename splunk_app as app | fields app]  | stats count by app savedsearch_name | append [| inputlookup index_list | fields app | search NOT [search index="_internal" source="*scheduler.log" [| inputlookup index_list  | fields app]  | stats count(savedsearch_name) by app | fields app] | table app] | sort app | fillnull value="None" savedsearch_name | fillnull value=0 count | fillnull value=0 notifications

I realize that search uses data which you can't duplicate because of the lookup but just in case my edit is wrong I'll go ahead and post the real version

index="_internal" sourcetype=scheduler [| inputlookup index_list | search reportable=t splunk_app=* | rename splunk_app as app | fields app] | eval pdf = if(match(savedsearch_name,"_ScheduledView"), "1", "0") | eval notifications = case(alert_actions="email", "1", pdf="1", "1", 1=1, "0")   | stats count as run_count sum(notifications) as notifications by app savedsearch_name | append [| inputlookup index_list | search reportable=t splunk_app=* | rename splunk_app as app | fields app | search NOT [search index="_internal" sourcetype=scheduler [| inputlookup index_list | search reportable=t splunk_app=* | rename splunk_app as app | fields app]  | stats count(savedsearch_name) by app | fields app] | table app] | sort app | fillnull value="None" savedsearch_name | fillnull value=0 run_count | fillnull value=0 notifications
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...