topic Result that does not match an item in list in Splunk Search

Result that does not match an item in list

vschrodda — Fri, 18 Jun 2021 19:10:19 GMT

With a search I would like a result that does NOT match an element in a list

For instance:

index=myindex source="mysource_*" earliest-30m

I'd like to compare the sources against a list, such as:

("*one","*two","*three")

If the search results, for instance, DON'T include events with the source "mysource_three" I would like a result that states this. Ultimately, I'm looking to create an alert based on the query; if there are no events seen from some sources in the last 30 minutes.

Re: Result that does not match an item in list

richgalloway — Fri, 18 Jun 2021 19:26:30 GMT

Perhaps this will get you started.

index=myindex source="mysource_*" earliest-30m | regex source!="mysource_(?:one|two|three)"

If you get any results, then trigger an alert.

Re: Result that does not match an item in list

vschrodda — Fri, 18 Jun 2021 19:50:28 GMT

This results in a 'source' that did not match an element in the list. I can do this without issue. I'm trying to determine which element(s) did not have any matching events (there would be no matching events in the last 30 minutes)

Re: Result that does not match an item in list

richgalloway — Fri, 18 Jun 2021 21:18:26 GMT

I got lost with all the negatives in that. What problem are you trying to solve?

Re: Result that does not match an item in list

vschrodda — Fri, 18 Jun 2021 22:14:20 GMT

I'm simply trying to determine/list any elements ("*one","*two","*three") did not have any matching events in given time frame

Re: Result that does not match an item in list

vschrodda — Fri, 18 Jun 2021 23:19:20 GMT

Figured out what I needed