- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Real time search, how to check if event doesn't ex...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I have some logs arriving into splunk every 5 minutes from a script running on an application server. The final line of logs indicates whether the script is complete or not. and looks something like this:
END :DATA COLLECTED ON 24 February 2015 at 14:41:23
I would like to check with real time if this line is there or not and if it isn't I would like to return a specific value indicating that the line is not there.
Is this possible via an Eval command ?
Regards,
David
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is easy enough.
If you use an eval if statement with a regex that uses match, in the form of :
eval IsPresent=if(match(_raw,"REGEX"), IfPresent, IfNotPresent)
That should work for you, but you'll need to put a regex in.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is easy enough.
If you use an eval if statement with a regex that uses match, in the form of :
eval IsPresent=if(match(_raw,"REGEX"), IfPresent, IfNotPresent)
That should work for you, but you'll need to put a regex in.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you Mark!
This works in some cases but if there is no results displayed in the search the eval does not add an extra field. I found the answer on how to solve it here :
http://answers.splunk.com/answers/50379/table-message-when-no-results-found.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No Problem, glad it helped, as a matter of fact I was just reading that thread!
It works on a similar concept, if it can't find it then you could set the msg field where it says IfNotPresent.
Alternatively you could set IfPresent to "Complete" or "Not Completed" and table it, which would then produce a similar result.
All in all, a good result 🙂
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
