Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to compare my search result with saved data list to reflect the value not reflecting in the search result (that is there in the saved data list)?

IamRoni
Explorer
‎10-30-2015 01:01 AM

My existing search string is:

index="os" OR index="app"  host=ip-10-12-70-56.va2.b2c.nike.com sourcetype=ps| multikv fields ARGS filter java| rex "Db2cid\=(?<b2cid>job-\\w+..)_" | dedup b2cid,host | chart count by b2cid,host | eval b2cidlowr=lower(b2cid) | sort  b2cidlowr | fields - b2cidlowr

This search is returning hosts like the following:

job-AsyncReqAgentServer-0   
job-CloseOrderAgentServer-0 
job-CreateOrderJMSServer-0  
job-CreateShipmentInvoiceJMSServer-0
job-FraudResponseJMSServer-0

But I have another couple of host which ideally should have reflected but not reflecting.
If I declare all the possible hosts in the search, can it return the hosts that are not getting rendered?
How to write such a search string?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎10-30-2015 08:55 AM

Yes, you can declare them all in a list and attach this to your search like this:

| noop | stats count AS host | eval host="host1,host2,host3,host4,hostn" | eval b2cid="dummy" | makemv delim="," host | mvexpand host |append [index="os" OR index="app"  host=ip-10-12-70-56.va2.b2c.nike.com sourcetype=ps| multikv fields ARGS filter java| rex "Db2cid\=(?<b2cid>job-\\w+..)_" | dedup b2cid,host] | chart count by b2cid,host | eval b2cidlowr=lower(b2cid) | sort  b2cidlowr | fields - b2cidlowr

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎10-30-2015 08:55 AM

Yes, you can declare them all in a list and attach this to your search like this:

| noop | stats count AS host | eval host="host1,host2,host3,host4,hostn" | eval b2cid="dummy" | makemv delim="," host | mvexpand host |append [index="os" OR index="app"  host=ip-10-12-70-56.va2.b2c.nike.com sourcetype=ps| multikv fields ARGS filter java| rex "Db2cid\=(?<b2cid>job-\\w+..)_" | dedup b2cid,host] | chart count by b2cid,host | eval b2cidlowr=lower(b2cid) | sort  b2cidlowr | fields - b2cidlowr
Reply
Solved! Jump to solution

IamRoni
Explorer
‎11-02-2015 03:05 AM

Thanks a lot woodcock.
With some enhancement its fitting my requirements
Appreciate it!

0 Karma
Reply
Solved! Jump to solution

IamRoni
Explorer
‎11-03-2015 03:07 AM

@woodcock
was unable to find the proper explanation on noop command. Can you please guide me on this?

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎11-03-2015 06:06 AM

It is short for "NO OPeration". It is a command that does not require an input and does nothing put pass-through events. It is the most efficient way to create an empty event-set, which, when piped to stats count gives us a single event that we can manipulate to create other events.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...