- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Is there a way to display matching results bas...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there a way to display matching results based on an inputlook?
I have a lookup file of jobs that I must report on. I need to know if the jobs ran then alert if the job didn't run. If it did not run, there will be no log sent to splunk. Here's what I have:
Column 1 - List of jobs from lookup file
Column 2 - Results from search query
Here's what I'm looking to achieve:
Column 1 Column 2 Status
Job1 Job1 Success
Job2 Job2 Success
Job3 Null Failure
Job4 Job4 Success
If the job runs, match the name to its equivalent from the lookup.
If the job fails, leave blank or return null.
If column1 != column2 then trigger alert
I can display the lookup file as well as get results from the query. I can't figure out the one for one match up. I'm sure it's something simple.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is how I would do it:
Search to get list of jobs that have run from indexed data
| table JobName | eval Status=1
| append [| inputlookup yourjoblookup.csv | table JobName | eval Status=0]
| stats max(Status) as Status by JobName
| replace 0 with "Failure" 1 with "Success" in Status
| where Status="Failure"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That worked..Thank you!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please provide sample data or a better description about the fields and the goal you have in mind.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My lookup is just a 1 column file with the names of the jobs.
My search query of the logs return the jobs that ran last night.
I want to compare the jobs in the search results to the jobs in the lookup.
If a job didn't not run there will not be a match to the lookup.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you are able to generate the sample output stated above, how about adding the following condition to it and then alert events...
| where isnull(Column_2)
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
