Hi ,
I have a list of services in my oracle server ,
i want to control the status of this services (Services Up and Services Down)
I create an alerte to give me the liste of the active services ( sourcetype=srvscript | stats count values(CMD) by _time |rename values(CMD) as "CMD" | where count < 7) and this worked fine ,
I want now to create an alerte to give me the services down , so i create a csv file contains the list of all existing services, and i want to compred with the search already created that gives the active services now,
I need a search that gives me the name of service not active (missing in search result of active services) ==> so how to compare the csv file contents and the active service result to find the non-active services ?
Hi aalaa,
if the field containing services is called "service", see something like this:
index=oracle sourcetype=srvscript
| eval service=lower(service)
| stats count BY service
| append [ | inputlookup existingServices | eval count=0, service=lower(service) | fields count service ]
| stats sum(count) AS Total By service
| eval Status=if(Total=0,"Down","Up")
| sort service
| table service Status
You can also display this table in a graphic mode.
A little hint: use always the index=<your_index>
option to have more performat searches.
Ciao.
Giuseppe
A subsearch should do it.
sourcetype=srcscript NOT [|inputlookup existingServices | format ]