https://community.splunk.com/t5/Splunk-Search/How-to-search-a-exception-in-splunk-which-didn-t-occurred-in/m-p/516063#M144947 <P>Like I said, finding something that has never happened before is a challenge.&nbsp; The definition of "never" will depend on how far back your indexed data goes.&nbsp; Because you'll be comparing a given event to all other events in your index(es) you can expect this to be very slow.&nbsp; A simple example:</P><LI-CODE lang="markup">index=foo earliest=-1y | stats count by _raw | where count = 1 | fields - count</LI-CODE><P>This search will return all unique events from the "foo" index over the past year.&nbsp; You can speed up the search by being more specific about what you search for.&nbsp; Perhaps you only want events with "Exception" or "ERROR" in them, for instance.</P> Tue, 25 Aug 2020 15:20:16 GMT richgalloway 2020-08-25T15:20:16Z https://community.splunk.com/t5/Splunk-Search/How-to-search-a-exception-in-splunk-which-didn-t-occurred-in/m-p/516002#M144925 <P>How to search a exception in splunk which didn't occurred in past</P> Tue, 25 Aug 2020 11:42:33 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-a-exception-in-splunk-which-didn-t-occurred-in/m-p/516002#M144925 koushik91 2020-08-25T11:42:33Z https://community.splunk.com/t5/Splunk-Search/How-to-search-a-exception-in-splunk-which-didn-t-occurred-in/m-p/516008#M144927 Please say more about what you are trying to accomplish.<BR />Understand that searching for something that did not happen is a challenge. Tue, 25 Aug 2020 12:28:33 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-a-exception-in-splunk-which-didn-t-occurred-in/m-p/516008#M144927 richgalloway 2020-08-25T12:28:33Z https://community.splunk.com/t5/Splunk-Search/How-to-search-a-exception-in-splunk-which-didn-t-occurred-in/m-p/516043#M144937 <P>Hi richgalloway,</P><P>Yes, i want to search a exception which was not occurred in past. I am creating a Alert Notification for a exception which was not occurred in past. Please share me search query which you have&nbsp;</P> Tue, 25 Aug 2020 14:25:52 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-a-exception-in-splunk-which-didn-t-occurred-in/m-p/516043#M144937 koushik91 2020-08-25T14:25:52Z https://community.splunk.com/t5/Splunk-Search/How-to-search-a-exception-in-splunk-which-didn-t-occurred-in/m-p/516063#M144947 <P>Like I said, finding something that has never happened before is a challenge.&nbsp; The definition of "never" will depend on how far back your indexed data goes.&nbsp; Because you'll be comparing a given event to all other events in your index(es) you can expect this to be very slow.&nbsp; A simple example:</P><LI-CODE lang="markup">index=foo earliest=-1y | stats count by _raw | where count = 1 | fields - count</LI-CODE><P>This search will return all unique events from the "foo" index over the past year.&nbsp; You can speed up the search by being more specific about what you search for.&nbsp; Perhaps you only want events with "Exception" or "ERROR" in them, for instance.</P> Tue, 25 Aug 2020 15:20:16 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-a-exception-in-splunk-which-didn-t-occurred-in/m-p/516063#M144947 richgalloway 2020-08-25T15:20:16Z