Solved: Real time search, how to check if event doesn't ex...

DavidHourani · ‎02-24-2015

Hello,

I have some logs arriving into splunk every 5 minutes from a script running on an application server. The final line of logs indicates whether the script is complete or not. and looks something like this:

END :DATA COLLECTED ON 24 February 2015 at 14:41:23

I would like to check with real time if this line is there or not and if it isn't I would like to return a specific value indicating that the line is not there.

Is this possible via an Eval command ?

Regards,
David

markthompson · ‎02-24-2015

This is easy enough.

If you use an eval if statement with a regex that uses match, in the form of :

eval IsPresent=if(match(_raw,"REGEX"), IfPresent, IfNotPresent)

That should work for you, but you'll need to put a regex in.

View solution in original post

markthompson · ‎02-24-2015

This is easy enough.

If you use an eval if statement with a regex that uses match, in the form of :

eval IsPresent=if(match(_raw,"REGEX"), IfPresent, IfNotPresent)

That should work for you, but you'll need to put a regex in.

DavidHourani · ‎02-24-2015

Thank you Mark!

This works in some cases but if there is no results displayed in the search the eval does not add an extra field. I found the answer on how to solve it here :

http://answers.splunk.com/answers/50379/table-message-when-no-results-found.html

markthompson · ‎02-24-2015

No Problem, glad it helped, as a matter of fact I was just reading that thread!

It works on a similar concept, if it can't find it then you could set the msg field where it says IfNotPresent.

Alternatively you could set IfPresent to "Complete" or "Not Completed" and table it, which would then produce a similar result.

All in all, a good result 🙂

Real time search, how to check if event doesn't exist and return something if it doesn't.

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms