Is there a way to display matching results based o...

cmcdole · ‎11-03-2017

I have a lookup file of jobs that I must report on. I need to know if the jobs ran then alert if the job didn't run. If it did not run, there will be no log sent to splunk. Here's what I have:
Column 1 - List of jobs from lookup file
Column 2 - Results from search query

Here's what I'm looking to achieve:
Column 1 Column 2 Status
Job1 Job1 Success
Job2 Job2 Success
Job3 Null Failure
Job4 Job4 Success

If the job runs, match the name to its equivalent from the lookup.
If the job fails, leave blank or return null.
If column1 != column2 then trigger alert

I can display the lookup file as well as get results from the query. I can't figure out the one for one match up. I'm sure it's something simple.

somesoni2 · ‎11-03-2017

Here is how I would do it:

Search to get list of jobs that have run from indexed data
| table JobName | eval Status=1
| append [| inputlookup yourjoblookup.csv | table JobName | eval Status=0]
| stats max(Status) as Status by JobName
| replace 0 with "Failure" 1 with "Success" in Status
| where Status="Failure"

cmcdole · ‎11-03-2017

That worked..Thank you!!

horsefez · ‎11-03-2017

Please provide sample data or a better description about the fields and the goal you have in mind.

cmcdole · ‎11-03-2017

My lookup is just a 1 column file with the names of the jobs.
My search query of the logs return the jobs that ran last night.
I want to compare the jobs in the search results to the jobs in the lookup.

If a job didn't not run there will not be a match to the lookup.

horsefez · ‎11-03-2017

If you are able to generate the sample output stated above, how about adding the following condition to it and then alert events...

| where isnull(Column_2)

Is there a way to display matching results based on an inputlook?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life