in splunk report, can we get at least header(column name)in attached CSV in autogenerated email, if there are no data in CSV/splunk..
eg. if no data then also it should atleast show header name..
If there are no results, you shouldn't be getting anything sent to you in your Alert/Scheduled Report
Why would you expect to see header rows, when they only "exist" if there are rows of data?
When you run the Report manually, you'll note when there are "no results" there are, well ... "no results"
There is no header information because there is no information
Edit to address comment "there is one requirement from client that they want atleast column name if report is blank"
You need to manually create a "blank" report, then: something similar to this should work:
index=ndx sourcetype=srctp
| fillnull value="-" fieldA, fieldB, fieldC ...
<rest of search before stats>
| stats count by *
<rest of search>
That should mean when you eventually statsout your table, you'll have at least something "in every field" - which means you should always get at least one row (even if it's all dashes)
Related
I have 5 different searches I am doing in Splunk where I am getting the count of how many results from that search query.
I've had a look at this thread here:
https://answers.splunk.com/answers/757081/pie-chart-with-count-from-different-search-criteri.html
but its not quite working for me, I'm not 100% sure if its what I want.
My search queries all look something like this:
index=A variable="foo" message="Created*" | stats count
index=A variable="foo" message="Deleted*" | stats count
I ideally want to assign each query to a keyword - such as created, deleted, etc, then do a pie chart based on the counts.
The following should be sufficient.
index=A variable="foo" message="Created*" OR message="Deleted*" OR message="<repeat this for any other message types you want>" | stats count by message
If you can provide some more examples of the events you are trying to chart, there may be alternate approaches that can work for you.
This version will extract the key part of the message (Created, Deleted. etc...) into a field called mtype and you can then perform stats on that field.
index=A variable="foo" message="Created*" OR message="Deleted*" OR message="<repeat this for any other message types you want>" | rex field=message "(?<mtype>Created|Deleteted|...)" | stats count by mtype
From Splunk, I am trying to get the user, saved search name and last time a query ran ?
A single Splunk query will be nice.
I am very new to Splunk and I have tried these queries :-
index=_audit action=search info=granted search=*
| search IsNotNull(savedsearch_name) user!="splunk-system-user"
| table user savedserach_name user search _time
The above query , is always empty for savesearch_name.
Splunk's audit log leaves a bit to be desired. For better results, search the internal index.
index=_internal savedsearch_name=* NOT user="splunk-system-user"
| table user savedsearch_name _time
You won't see the search query, however. For that, use REST.
| rest /services/saved/searches | fields title search
Combine them something like this (there may be other ways)
index=_internal savedsearch_name=* NOT user="splunk-system-user"
| fields user savedsearch_name _time
| join savedsearch_name [| rest /services/saved/searches
| fields title search | rename title as savedsearch_name]
| table user savedsearch_name search _time
Note that you have a typo in your query. "savedserach_name" should be "savedsearch_name".
But I also recommend a free app that has a dedicated search tool for this purpose.
https://splunkbase.splunk.com/app/6449/
Specifically the "user activity" view within that app.
Why it's a complex problem - part of the puzzle is in the audit log's info="granted" event, another part is in the audit log's info="completed" event, even more of it is over in the introspection index. You need those three stitched together, and the auditlog is plagued with parsing problems and autokv compounds the problem by extracting all of fields from the SPL itself.
That User Activity view will do all of this for you, sidestep pretty thorny autokv problems in the audit data, and not just give you all of this per search, but also present stats and rollups by user, app, dashboard, even by sourcetypes-that-were-actually-searched
it also has a macro called "calculate pain" that will score a "pain" number for each search, and then sum up all the "pain" in the by-user, by-app, by-sourcetype rollups etc. So that admins can try and pick off the worst offenders first.
it's up on SB here and approved for both Cloud and onprem - https://splunkbase.splunk.com/app/6449/
(and there's a #sideview_ui channel for it in the community slack.)
I want to print the value of a certain field from a set of events that results from running a particular search query. Here's my query:
index=abc "all events that contain this string" sourcetype=prd
Now, this returns certain events that contain a field called traceId. What I want is to extract unique traceIds from the result and print them. Here's the query that I am using currently, but to no avail:
index=abc "all events that contain this string" sourcetype=prd | rex field=_raw "traceId: (?<traceId>.*)"
This query prints all the fields in the event (events are printed as JSON docs.).
Can someone help me with this? I have never worked with Splunk before, so please go easy if the question looks a bit easy.
Thanks!
Answering this without some sample data is almost impossible... still, I think you are getting all data because:
you are not using the fields command to filter your fields of interest. It would go like so: `index=abc "all events that contain this string" sourcetype=prd | rex field=_raw "traceId: (?.*) | fields fiel1, field2, traceId"
your regular expression is greedy, which means traceId field will contain all text from that point to the end of the event. Try to be more specific i.e. \d+ for numeric data or even [^\s]+ for non-blanks.
~HTH
can some one suggest a query to send the unique errorcode count.
Example enter image description here 2006
in between the tags(in place of 2006) different codes are printed
i need to query to pull all the unique error codes
You can use the rex command to extract the desired values. It will look something like this:
your_initial_query
| rex field=_raw "<com:errorCode>(?<code>.*)<\/com:errorCode>"
| stats count by code
The second line tells rex to extract everything between the errorCode tags and save that to a field called code. You can then use the stats command to count the number of times a code is seen.
The situation: metadata about biological specimens are collected in an Access table. The specimens come from human patients and patient data are collected in a separate table. To limit the amount of private health information we have hanging around, the patient database must be updated with new patients only when we actually receive samples from them.
So that the data entry workers know when they need to update the patient table, I want a button in the specimen data entry form that will pass an entered patient id value as criteria to a query.
The query looks like this right now:
SELECT Patients.[Patient id]
FROM Patients
WHERE (((Patients.[Patient id])=[Forms]![Specimen entry]![patient id]));
but it never has results, even when I run it from records that I know correspond to patients in the patient table. How do I fix this?
Suggestions about what to call this situation so that I can make better searches about it would also be appreciated. I'm an Access novice.
The query looks correct, but make sure the WHERE clause is comparing numbers to numbers or strings to strings (not a number to a string). Also confirm that the form and textbox names are correct. A quick test using your query worked for me.
Depending on how you plan to present the information, you can also dynamically create the query in VBA and then pass the information to the form.
For searching, I'd recommend some combination of access, dynamic, query, and vba.
alternative option
If you're only looking to see if a single patient exists in the table, it may be simpler to use the dlookup function:
If IsNull(DLookup("[Patient ID]", "Patients", "[Patient ID]='" & Me.Patient_ID & "'")) Then MsgBox "does not exist"
This will check to see if the patient exists (return a number) or does not exist (returns NULL).
https://support.office.com/en-us/article/DLookup-Function-8896cb03-e31f-45d1-86db-bed10dca5937