Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Return information when there are no expected results.

griffinpair
Path Finder
‎10-02-2017 09:32 AM

This search checks to make sure a certain process ended on time. I expect to have results for the 6 cases in the where clause below. In the case that a Client's process did not end on time, it would not be returned in this search.

I would like to reverse the logic to return information for when a Client misses an expected end time.
For Example: if client6's process ends after 01:15:00, I would want to see the ClientID and expected time range.

source=*D:\\THY\\helper* source=*IH_Daily\\Debug* End earliest=-30h@h
| eval time=strftime(round(strptime(file_Time, "%I:%M:%S %P")), "%H:%M:%S")
| rex field=source "importhelpers\\\+(?[^\\\]+)"
| where ((like(source,"%"."client1"."%")) AND time>"05:00:00" AND time<"05:15:00")
OR ((like(source,"%"."client2"."%")) AND time>"09:30:00" AND time<"09:45:00")
OR ((like(source,"%"."client3"."%")) AND time>"07:30:00" AND time<"07:42:00")
OR ((like(source,"%"."client4"."%")) AND time>"07:00:00" AND time<"07:25:00")
OR ((like(source,"%"."client5"."%")) AND time>"05:00:00" AND time<"05:30:00")
OR ((like(source,"%"."client6"."%")) AND time>"00:30:00" AND time<"01:15:00")
| table ClientID, timerange, source
0 Karma
Reply

DalJeanis
Legend
‎10-02-2017 10:00 AM

Here's how I'd reengineer the tests...

source=*D:\\THY\\helper* source=*IH_Daily\\Debug* End earliest=-30h@h
| eval time=strftime(round(strptime(file_Time, "%I:%M:%S %P")), "%H:%M:%S")
| rex field=source "importhelpers\\\+(?[^\\\]+)"
| eval MyClient=case( like(source,"%"."client1"."%"),"client1",
   like(source,"%"."client2"."%"), "client2",
   like(source,"%"."client3"."%"), "client3",
   like(source,"%"."client4"."%"), "client4",
   like(source,"%"."client5"."%"), "client5",
   like(source,"%"."client6"."%"), "client6")
| where isnotnull(MyClient)
| eval LowTime=case( MyClient="client1","05:00:00",
   MyClient="client2", "09:30:00",
   MyClient="client3", "07:30:00",
   MyClient="client4", "07:00:00",
   MyClient="client5", "05:00:00",
   MyClient="client6", "00:30:00")
| eval HighTime=case( MyClient="client1","05:15:00",
   MyClient="client2", "09:45:00",
   MyClient="client3", "07:42:00",
   MyClient="client4", "07:25:00",
   MyClient="client5", "05:30:00",
   MyClient="client6", "01:15:00")
| eval MyFlag = case(time<LowTime,"Early", time>HighTime,"Late", true(), "On Time")
| table ClientID, source, MyClient, LowTime, HighTime, time, MyFlag

Although actually, I'd put all that client data into a lookup table.

0 Karma
Reply

DalJeanis
Legend
‎10-02-2017 10:11 AM

And if you want to have just the ones that are in that time frame, plus mark the missing ones, then add this at the end...

| where MyFlag="On Time"
| append [| makeresults 
    | eval mydata="client1,05:00:00,05:15:00!!!!client2,09:30:00,09:45:00!!!!client3,07:30:00,07:42:00!!!!client4,07:00:00,07:25:00!!!!client5,05:00:00,05:30:00!!!!client6,00:30:00,01:15:00"  
    | makemv delim="!!!!" mydata 
    | mvexpand mydata 
    | rex field=mydata "(?<MyClient>.+?),(?<LowTime>[^,]+),(?<HighTime>[^,]+)" 
    | table MyClient LowTime HighTime
    ]
| stats values(*) as * by MyClient
| eval MyFlag = coalesce(MyFlag, "Missing")
0 Karma
Reply

somesoni2
Revered Legend
‎10-02-2017 09:42 AM

Try this

source=D:\\THY\\helper source=IH_Daily\\Debug End earliest=-30h@h
| eval time=strftime(round(strptime(file_Time, "%I:%M:%S %P")), "%H:%M:%S")
| rex field=source "importhelpers\\+(?[^\\]+)"
| where NOT ((like(source,"%"."client1"."%")) AND time>"05:00:00" AND time<"05:15:00")
OR ((like(source,"%"."client2"."%")) AND time>"09:30:00" AND time<"09:45:00")
OR ((like(source,"%"."client3"."%")) AND time>"07:30:00" AND time<"07:42:00")
OR ((like(source,"%"."client4"."%")) AND time>"07:00:00" AND time<"07:25:00")
OR ((like(source,"%"."client5"."%")) AND time>"05:00:00" AND time<"05:30:00")
OR ((like(source,"%"."client6"."%")) AND time>"00:30:00" AND time<"01:15:00")
| table ClientID, timerange, source
0 Karma
Reply

griffinpair
Path Finder
‎10-02-2017 09:48 AM

This does not work as there are other end times throughout the log file for each client. This returns the other end times that do not matter. I am seeking to return information if there is no end for a certain client during a specified time. Thanks though!

0 Karma
Reply

somesoni2
Revered Legend
‎10-02-2017 09:59 AM

How about this?

source=D:\\THY\\helper source=IH_Daily\\Debug End earliest=-30h@h
 | eval time=strftime(round(strptime(file_Time, "%I:%M:%S %P")), "%H:%M:%S")
 | rex field=source "importhelpers\\+(?[^\\]+)"
 | where ((like(source,"%"."client1"."%")) AND time>="05:15:00")
 OR ((like(source,"%"."client2"."%")) AND time>="09:45:00")
 OR ((like(source,"%"."client3"."%")) AND time>="07:42:00")
 OR ((like(source,"%"."client4"."%")) AND time>="07:25:00")
 OR ((like(source,"%"."client5"."%")) AND time>="05:30:00")
 OR ((like(source,"%"."client6"."%")) AND time>="01:15:00")
 | table ClientID, timerange, source
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...