Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I check if a field contains text and return the "source" if it doesn't?

griffinpair
Path Finder
‎07-31-2017 01:56 PM

My current search (below) returns 3 results that has a field called "import_File" that contains either the text "Account", "Owner", or "Member" in the file path. If there is an instance where the search does not contain a file path containing either the text "Account", "Owner", or "Member", I want to return the "source" so I can go in and check it out.

Search:

source=*D:\\filePath\\filePath* source=*filePath\\filePath.log* Moved
| eval todayBuffer=strftime(now(), "%m_%d_%Y") | eval today=ltrim(tostring(todayBuffer),"0") | where like(source,"%".today."%")
| where ((like(source,"%"."ClientID"."%")))
| sort -_time

Results:

7/31/2017 5:09:18 AM -- Moved D:\filepath\filepath\ClientID\filepath\ClientID\Position\ClientID_Owner_csv.xml Size:26.46 MB

7/31/2017 5:08:18 AM -- Moved D:\filepath\filepath\ClientID\filepath\ClientID\Account\ClientID_Account_csv.xml Size:586.22 KB

7/31/2017 5:03:15 AM -- Moved D:\filepath\filepath\ClientID\filepath\ClientID\Member\ClientID_Member_csv.xml Size:3.06 MB

For example (below), if tomorrow's search does not return an import_File with a file path containing "Member" I would want
to return the source.

Example Problem Search Results:

8/1/2017 5:09:18 AM -- D:\filepath\filepath\ClientID\filepath\ClientID\Position\ClientID_Owner_csv.xml Size:26.46 MB

8/1/2017 5:08:18 AM -- D:\filepath\filepath\ClientID\filepath\ClientID\Account\ClientID_Account_csv.xml Size:586.22 KB

0 Karma
Reply

somesoni2
Revered Legend
‎08-01-2017 08:31 AM

Give this a try

source=*D:\\filePath\\filePath* source=*filePath\\filePath.log* Moved
 | eval todayBuffer=strftime(now(), "%m_%d_%Y") | eval today=ltrim(tostring(todayBuffer),"0") | where like(source,"%".today."%")
 | where ((like(source,"%"."ClientID"."%"))) | rex field=source "ClientID_(?<type>[^_]+)" | eventstats values(type) as type
 | sort -_time | where mvcount(type)<3  | table source ..other fields you want...
0 Karma
Reply

DalJeanis
Legend
‎07-31-2017 02:32 PM

This will return either Owner, Account, Member, or the entire source.

| rex field=source "(?i)(<sourcefound>Owner|Account|Member)"
| eval source=coalesce(sourcefound,source)
0 Karma
Reply

somesoni2
Revered Legend
‎07-31-2017 02:26 PM

What will be the expect output (for the sample data)?

0 Karma
Reply

griffinpair
Path Finder
‎08-01-2017 07:47 AM

This is a "Alert Dashboard" I am creating. So if all show up (Results) then nothing should show up. If what we expected to show up does not (Example Problem Search Results) then I would want the the "source" to be returned so I can know the log file that has the information on the issue.

0 Karma
Reply

aaraneta_splunk
Splunk Employee
Splunk Employee
‎07-31-2017 02:16 PM

@griffinpair - Just so you know, there is special markup language on this site so certain symbols will transform your post. If you wrap a word in the asterisk symbol * or _, without wrapping it in a code sample, it will italicize the word. If you wish to show the * (i.e. you are displaying sample code), simply click on the Code Sample icon to the right of the Blockquote icon in the formatting toolbar. That is how I was able to edit your post so that the * will display.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...