Show only those filetype name which came in logs ,...

Hemant1 · ‎06-20-2018

Hi , i am facing some issue with query. My question is how to show only those filetype name which came in logs. Check in lookupfile, if any if filetype is missed then it must show in result.

index=sap_bam sourcetype=sap_d059
| lookup sap_filetype.csv filetype as filetype
| dedup source
| stats count by filetype
| rename count as filecount
| eval alertme=if((filecount=0) OR isnull(filecount),1,0)
| fields sourcetype filetype filecount alertme 
| table filetype filecount alertme

woodcock · ‎06-30-2018

I cannot understand what you are asking. Perhaps have a colleague review the words that you are using and re-edit to add clarity.

DalJeanis · ‎06-20-2018

It's difficult to make out exactly what the use case is, but we've clarified your question as much as possible.

I believe you are trying to receive an alert when any particular "filetype" has not been seen in a certain length of time.

Here are some answers that have searches you can model

using a lookup as a base list

https://answers.splunk.com/answers/374128/how-do-i-edit-my-inputlookup-search-to-alert-on-mi.html

using tstats to generate a base list

https://answers.splunk.com/answers/3181/how-do-i-alert-when-a-host-stops-sending-data.html

DalJeanis · ‎06-20-2018

We've updated the title and language to clarify the question, somewhat.

Show only those filetype name which came in logs , any if filetype is missed than it must show in result

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio