Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to use lookup data from a CSV file to include missing logs for a more complete report?

kobie
New Member
‎09-08-2014 10:30 AM

I have a scenario where i have a data input which indexes logs from a Job Automation software. Each indexed job logs contains several field extractions. I am performing some computations and putting these results into a report. I don't believe the search string matters for the purposes of this issue, but if you need to see an example please let me know.

My issue comes from that there are a thousand jobs setup to run on a daily basis. If the jobs runs and succeeds or fails a log is generated and indexed by Splunk. I can report on this and life is good. However, if a job is skipped, missed, or does not run at all, NO log is created and thus does not show on the report.

I have a CSV file which contains all the jobs that are supposed to run. My question is what do you guys recommend to statically display ALL the job names from this input file and then join them with a search so that if I job did not run and no log was generated, it would show the name and the run times would be blank.

I am guessing the best case would be with using that CSV file as an input, but I have not been able to find an example search which would populate the input file in the report and then join in the results from the base search. If you guys could provide some guidance and examples, I would be most appreciative.

Thank you!

0 Karma
Reply

MuS
Legend
‎09-08-2014 11:09 AM

Hi kobie,

take a look at this http://answers.splunk.com/answers/73268/search-for-hosts-in-a-lookup-but-not-in-splunk and you will see an example on how to search for something in a lookup file but not in Splunk.

Hope this helps ...

cheers, MuS

Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...