Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

search for a string in field , if not there then trigger alert with remaining data in fields

kirrusk
Communicator
‎09-28-2021 11:40 PM

Hi,

I want to check for a string in the field, but if the string is not found in the field then need to print the remaining data. (last 15 mins data)

for example,

Field1      Field2             
9/2/10   successful
9/2/10   creating the file
9/2/10   created

from the above table, I want to check the Field2 for the last 15mins for string "successful", if no string is found in Field2 with "successful", Then need to trigger an alert with the remaining data like below.


Field1      Field2 
9/2/10   creating the file
9/2/10   created

is this possbile in splunk.

Labels (5)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-28-2021 11:58 PM

Hi @kirrusk,

let me understand:

  • your need is a two phases check:
    • check if in Field2 there's the string "Successful",
    • then display the values of the Field2 field below "Successful"

Is this correct?

If this is your need, please try something like this:

index=your_index ield2=*
| transaction startswith="Successful"
| mvexpand field2
| search field2!="Successful"
| table _time field2

if the number of events after "Successful" is fixes (e.g. always 2), you could be more precise adding an option to the transaction command "maxevents=2".

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-28-2021 11:58 PM

Hi @kirrusk,

let me understand:

  • your need is a two phases check:
    • check if in Field2 there's the string "Successful",
    • then display the values of the Field2 field below "Successful"

Is this correct?

If this is your need, please try something like this:

index=your_index ield2=*
| transaction startswith="Successful"
| mvexpand field2
| search field2!="Successful"
| table _time field2

if the number of events after "Successful" is fixes (e.g. always 2), you could be more precise adding an option to the transaction command "maxevents=2".

Ciao.

Giuseppe

Reply
Solved! Jump to solution

kirrusk
Communicator
‎09-29-2021 12:30 AM

@gcusello 

@gcusello 
Thank you, but my intention is to trigger an alert with the remaining data in Field2.
if there is no string("Successful") at all in Field2.

sample alert,

no log found for successful, Please find logs

Field1             Field2
9/2/10         creating the file
9/2/10         created

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-29-2021 01:57 AM 
index=your_index Field2=*
| eval check=if(Field2="Successful","Yes",null())
| eventstats values(check) AS check
| where isnull(check)
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-29-2021 12:48 AM

Hi @kirrusk,

ok, please try something like this:

index=your_index field2=*
| eval check=if(field2="Successful","Yes","No")
| stats values(EventCode) AS EventCode values(check) AS check dc(check) AS dc_check earliest(_time) AS _time
| search dc_check=1 check=No
| mvexpand field2
| table _time field2

in this way, you check if in your logs there's the "Successful" string:

  • if present, there's no result in the search,
  • if not present, it displays all the field2 values.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...