https://community.splunk.com/t5/Getting-Data-In/Display-sources-which-do-not-have-a-string/m-p/48361#M9155 <P>Is not output to the list if any (host log is not output) host has not been activated within the specified time that it is the search is present but OK?</P> Wed, 28 Aug 2013 02:28:48 GMT HiroshiSatoh 2013-08-28T02:28:48Z https://community.splunk.com/t5/Getting-Data-In/Display-sources-which-do-not-have-a-string/m-p/48358#M9152 <P>Hello,</P> <P>When I restart a large application with hundreds of processes, I can see a string like "startup successful" from the logs.</P> <P>How can I display a list of host and sources which do not have this string?</P> <P>host1:/a/b/c1/file1.log<BR /> host1:/a/b/c2/file2.log<BR /> host1:/a/b/c3/file3.log<BR /> host2:/a/b/c1/file1.log<BR /> host2:/a/b/c2/file2.log<BR /> host2:/a/b/c3/file3.log<BR /> ...</P> <P>Suppose host99:/a/b/c13/file23.log did not have the "startup successful" string. How would I display that?</P> Tue, 27 Aug 2013 18:50:31 GMT https://community.splunk.com/t5/Getting-Data-In/Display-sources-which-do-not-have-a-string/m-p/48358#M9152 nbk7e9d 2013-08-27T18:50:31Z https://community.splunk.com/t5/Getting-Data-In/Display-sources-which-do-not-have-a-string/m-p/48359#M9153 <P>Proving the negative is a bit harder than opposite. Assuming that all of those files are of the same <CODE>sourcetype</CODE>, one approach is to use a simple subsearch;</P> <PRE><CODE>sourcetype=XXX earliest=-15m NOT [search sourcetype=XXX earliest=-15m "startup successful" | dedup host, source | fields + host, source] | dedup host, source | table host, source </CODE></PRE> <P>Set the <CODE>earliest</CODE> time at the time of the restart, so you don't get irrelevant older events included. In this case I gave the application 15 minutes to startup, before running the search so-to-speak.</P> <P>/K</P> Tue, 27 Aug 2013 19:34:18 GMT https://community.splunk.com/t5/Getting-Data-In/Display-sources-which-do-not-have-a-string/m-p/48359#M9153 kristian_kolb 2013-08-27T19:34:18Z https://community.splunk.com/t5/Getting-Data-In/Display-sources-which-do-not-have-a-string/m-p/48360#M9154 <P>Since I'm selecting a custom time from the timepicker and my sourcetypes aren't exactly the same, I used:</P> <P>host=host* sourcetype=logs* NOT [search host=host* sourcetype=logs* "startup successful" | dedup host, source | fields + host, source] | dedup host, source | table host, source</P> <P>This works nicely. Thanks!</P> Tue, 27 Aug 2013 22:01:02 GMT https://community.splunk.com/t5/Getting-Data-In/Display-sources-which-do-not-have-a-string/m-p/48360#M9154 nbk7e9d 2013-08-27T22:01:02Z https://community.splunk.com/t5/Getting-Data-In/Display-sources-which-do-not-have-a-string/m-p/48361#M9155 <P>Is not output to the list if any (host log is not output) host has not been activated within the specified time that it is the search is present but OK?</P> Wed, 28 Aug 2013 02:28:48 GMT https://community.splunk.com/t5/Getting-Data-In/Display-sources-which-do-not-have-a-string/m-p/48361#M9155 HiroshiSatoh 2013-08-28T02:28:48Z https://community.splunk.com/t5/Getting-Data-In/Display-sources-which-do-not-have-a-string/m-p/48362#M9156 <P>The double negative type question is confusing me. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> This search will give me a table of hosts,logs that do NOT have "start successful" message from the time I choose in the TimePicker.</P> Wed, 28 Aug 2013 17:35:37 GMT https://community.splunk.com/t5/Getting-Data-In/Display-sources-which-do-not-have-a-string/m-p/48362#M9156 nbk7e9d 2013-08-28T17:35:37Z