Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

search to find Bush's stolen watch

ledion
Path Finder
‎03-06-2018 09:12 AM

Does anyone know how to craft a search to find George Bush's stolen watch?

Tags (1)
Reply

skoelpin
SplunkTrust
SplunkTrust
‎03-06-2018 10:15 AM

Yeah, try this 

index=... sourcetype=... 
| stats count(watch) by president
| search president="Bush_W"
| rename count(watch) AS passed_to_secret_service_agent
| eval where_is_stolen_watch=if(passed_to_secret_service_agent>0,"The U.S. gov forgot to give it back","The watch was stolen")
| table president where_is_stolen_watch
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-06-2018 10:59 AM

Nuh-uh. Stats count by field will never yield zeroes.

0 Karma
Reply

paulbannister
Communicator
‎03-07-2018 06:29 AM

Indeed, you'd have to table all the presidents afterwards and fillnull to get those zeroes, that could get tedious, are we also assuming that both pocket and wrist have been classified under the watch field?

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎03-07-2018 02:54 PM

Line 3 will narrow down to only search "Bush_W". When I googled this scenario, the first thing I saw was that the secret service grabbed it before it was stolen and never gave it back, so I went with it. The answer will always return this if that president ever owned a watch 

**President**  | **Where_is_stolen_watch**
Bush_W             | "The U.S. gov forgot to give it back
0 Karma
Reply

DalJeanis
Legend
‎03-07-2018 05:00 PM

SInce there are so many presidents and watches in the index, you'd want to be in the habit of checking identity of the president first, rather than wasting all those mips counting up the other couple of hundred records.

Also, since typists may get confused between the various George Bush presidents, and because the name can appear in various forms, you might be better off testing for something like...

| search (first_name="George" AND last_name="Bush") OR president_number = 43
Reply

ledion
Path Finder
‎03-06-2018 01:36 PM

don't we need some geostats ?

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎03-07-2018 02:32 PM

Only if it was a smart watch with GPS positioning.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...