Hi,
I have data like this:
student id request type
13030 ack
13030 response
13030 request
14040 request
14040 response
14040 ack
So I need to schedule a search to run every 15 minutes, and send an email alert when I do not get any response or acknowledgement for a particular student id, including the student and their multiple requests and responses.
Hi prashanthberam,
you should create a lookup with your student IDs (e.g.: StudentID.csv) and then run a search like this:
| inputlookup StudentID.csv
| eval count=0, StudentID=lower(StudentID)
| append [ search index=yourindex | StudentID=lower(StudentID) | stats count by StudentID ]
| stats sum(count) AS Total BY StudentID
| where Total=0
In this way you have all the StudentsID that aren't present in search results.
Bye.
Giuseppe
Assuming your data has student_id and request_type fields.
your search query | stats count as RequestCount values(request_type) as RequestTypes by student_id | search RequestCount>=1 AND NOT (RequestTypes="response" OR RequestTypes="ack")
Setup Alert with
1) Alert Type > Scheduled "Run on Cron Schedule" and for running every 15 minutes (For example following is only for weekdays): */15 * * * 1-5
2) Trigger Condition > Trigger Alert when "Number of Results" "is greater than" 0
am getting every studentnames and their requesttypes and their count but i need who are doesn't have the "ACK" "RESPONSE" i need those information....
Can you validate the fields in search are correct? I tested with following data (14041 has only request and no ack and response). The query worked for me. Please play around with final search conditions requestCount and requestTypes (If you are getting count, then requestCount=1 alone without requestType condition, on high level should give you only requests).
2016-10-29 13:24:43.310 student_id=13030 request_type=ack
2016-10-29 13:25:43.310 student_id=13030 request_type=response
2016-10-29 13:26:43.310 student_id=13030 request_type=request
2016-10-29 13:27:43.310 student_id=14040 request_type=request
2016-10-29 13:28:43.310 student_id=14040 request_type=response
2016-10-29 13:29:43.310 student_id=14040 request_type=ack
2016-10-29 13:27:43.310 student_id=14041 request_type=request
index=main sourcetype="splunk_answers_475441"
| stats count as RequestCount values(request_type) as RequestTypes by student_id
| search RequestCount>=1 AND NOT (RequestTypes="response" OR RequestTypes="ack")