Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Pass values in splunk search and compare it with results

raghul725
Explorer
‎10-27-2023 03:14 AM
Hello,
Currently my search looks for the list of containers which includes initialised successfully message and lists them. The alert I have set is to look for the number of containers under total connections column and if it is less then 28, then some of them did not connect successfully
 
How can pass I the list of containers in my search and compare that with the result produced and state if the result is missing a container please?
 
 
Sorry I cannot provide the exact search on a public forum, so I am sharing something similar.
 
Example: (my example just shows 4 containers)
 
The search should return container A, container B, container C, container D
 
Current search:
 
index=*  Initialised xxxxxxxxxxxx xxxxxx|rex "\{consumerName\=\'(MY REGEX)"|chart count AS Connections by name| addcoltotals labelfield="Total Connections"
 
 
The current result is
 
Container_Name      |  Count       |    Total_Connections
Container A                 |    1              |
Container B                 |   1                |
Container C                 |    1               |
Container D                 |    1               |
                                                                                    4         
 
How can I tweak the above search to include container A,B,C and D and if container D is missing in the result, the search should compare the result with the values passed in the search and state which container is missing as the last line in the above table i.e. preserve the existing result but state which container is missing from the result as well please?
 
Regards
Labels (2)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎10-30-2023 12:30 AM

If you know all container names in advance, simply enumerate them.  One way to do this is to use foreach.

 

index=*  Initialised xxxxxxxxxxxx xxxxxx |rex "\{consumerName\=\'(MY REGEX)"
| stats count as Connections by Container_Name
| transpose header_field=Container_Name column_name=Container_Name
| foreach "Container A", "Container B", "Container C", "Container D"
    [eval <<FIELD>> = if(isnull('<<FIELD>>'), "(missing)", '<<FIELD>>')]
| transpose header_field=Container_Name column_name=Container_Name
| addcoltotals fieldname=Connections labelfield=Container_Name

 

(If you perform stats on Container_Name, 

For example, if your data is missing "Container D", you get

Container_NameConnections
Container A1
Container B1
Container C1
Container D(missing)
Total3

If your data is missing "Container C", you get

Container_NameConnections
Container A1
Container B1
Container D1
Container C(missing)
Total3

And so on.

Here is an emulation for you to play with and compare with real data

 

| makeresults
| fields - _time
| eval Container_Name = mvappend("Container A", "Container B"```, "Container C"```, "Container D")
``` data emulation above ```

 

 

Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-27-2023 03:25 AM

Finding something that doesn't exist is not one of Splunk's strong suits! You can get around this by telling Splunk what to look for, for example

index=*  Initialised xxxxxxxxxxxx xxxxxx|rex "\{consumerName\=\'(MY REGEX)"|chart count AS Connections by name
| append
  [| makeresults format=csv data="name
Container A
Container B
Container C
Container D"]
| stats count by name
| where count < 2
0 Karma
Reply

raghul725
Explorer
‎10-28-2023 08:17 AM

Thank you, but when I run the suggestion provided on a time period I know would not return any result, nothing shows up. I expected it provide me the entire list in makeresults.

Sorry if I am missing something here or I don't understand your suggestion.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-28-2023 08:58 AM

Which version of Splunk are you running as the format and data options to makeresults were introduced in version 9

0 Karma
Reply

raghul725
Explorer
‎10-30-2023 04:55 AM

I am afraid its on Version:8.2.11.2

That answers it.

 

Assume there is nothing else we can try on the version I am on please?

 

Best Regards

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-30-2023 05:08 AM

Try it like this (for pre-Splunk 9)

index=*  Initialised xxxxxxxxxxxx xxxxxx|rex "\{consumerName\=\'(MY REGEX)"|chart count AS Connections by name
| append
  [| makeresults
  | eval name="Container A,Container B,Container C,Container D"
  | eval name=split(name,",")]
| stats count by name
| where count < 2

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-30-2023 08:15 AM

I would also advise to externalise the conifg (the list of wanted  containers) from the search itself.

So I'd simply create a lookup (let's call it containers.csv) with just one column called "name" containing all the containers you expect and then do

 

index=*  Initialised xxxxxxxxxxxx xxxxxx|rex "\{consumerName\=\'(MY REGEX)"|chart count AS Connections by name
| append
  [| inputlookup containers.csv ]
| stats count by name
| where count < 2

 

 This way if your list of containers changes it's easy to just update the lookup instead of rewriting the search.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...