https://community.splunk.com/t5/Splunk-Search/How-do-you-execute-a-two-pattern-search-where-the-first-pattern/m-p/382138#M167530 <P>Thanks for your help </P> Mon, 17 Sep 2018 12:14:59 GMT jeevananm06 2018-09-17T12:14:59Z https://community.splunk.com/t5/Splunk-Search/How-do-you-execute-a-two-pattern-search-where-the-first-pattern/m-p/382134#M167526 <P>I was executing my search on a log file.</P> <P>This is the pattern i want to search ** END ABCD234** <STRONG>hour&gt;00</STRONG> where this shouldn't be searched on several <STRONG>host</STRONG>(servers). </P> <P>The host that needs to be ignored can be identified by this pattern <STRONG>"DISABLE" "END" hour&gt;00</STRONG> </P> <P>Here, hour is a field extracted from timestamp (Example:<STRONG>01</STRONG>:15:38- here 01 was extracted). </P> <P>Please let me know if more info needed.</P> Fri, 14 Sep 2018 10:38:42 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-execute-a-two-pattern-search-where-the-first-pattern/m-p/382134#M167526 jeevananm06 2018-09-14T10:38:42Z https://community.splunk.com/t5/Splunk-Search/How-do-you-execute-a-two-pattern-search-where-the-first-pattern/m-p/382135#M167527 <P>looks like do-able task....<BR /> yes, more info needed please..</P> Fri, 14 Sep 2018 13:28:04 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-execute-a-two-pattern-search-where-the-first-pattern/m-p/382135#M167527 inventsekar 2018-09-14T13:28:04Z https://community.splunk.com/t5/Splunk-Search/How-do-you-execute-a-two-pattern-search-where-the-first-pattern/m-p/382136#M167528 <P>If "DISABLE" is the keyword that need to be ignored, then specify this before the hour field. </P> <P>Like, <CODE>index=idx END NOT "DISABLE" | where hour&gt;00</CODE>. If this is not what you're looking for, then please provide sample events which has these keywords.</P> Fri, 14 Sep 2018 13:30:20 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-execute-a-two-pattern-search-where-the-first-pattern/m-p/382136#M167528 sudosplunk 2018-09-14T13:30:20Z https://community.splunk.com/t5/Splunk-Search/How-do-you-execute-a-two-pattern-search-where-the-first-pattern/m-p/382137#M167529 <P>It seems like you want to search which has <CODE>END ABCD234 hour&gt;00</CODE> as pattern (event 1) but does not have <CODE>DISABLE END hour&gt;00</CODE> (separate event 2). If that's the case, you can try something like this</P> <PRE><CODE>index=yourindex sourcetype=yoursourcetype END ABCD234 hour&gt;00 NOT [search index=yourindex sourcetype=yoursourcetype DISABLE END hour&gt;00 | stats count by host | table host ] </CODE></PRE> <P>The subsearch would exclude all the hosts that have <CODE>DISABLE END hour&gt;00</CODE> events, from the main search result.</P> Fri, 14 Sep 2018 13:55:10 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-execute-a-two-pattern-search-where-the-first-pattern/m-p/382137#M167529 somesoni2 2018-09-14T13:55:10Z https://community.splunk.com/t5/Splunk-Search/How-do-you-execute-a-two-pattern-search-where-the-first-pattern/m-p/382138#M167530 <P>Thanks for your help </P> Mon, 17 Sep 2018 12:14:59 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-execute-a-two-pattern-search-where-the-first-pattern/m-p/382138#M167530 jeevananm06 2018-09-17T12:14:59Z https://community.splunk.com/t5/Splunk-Search/How-do-you-execute-a-two-pattern-search-where-the-first-pattern/m-p/382139#M167531 <P>@jeevananm06 if your issue is resolved do accept this answer to mark your question as answered!</P> Mon, 17 Sep 2018 17:01:21 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-execute-a-two-pattern-search-where-the-first-pattern/m-p/382139#M167531 niketn 2018-09-17T17:01:21Z https://community.splunk.com/t5/Splunk-Search/How-do-you-execute-a-two-pattern-search-where-the-first-pattern/m-p/382140#M167532 <P>Done Thanks for your help</P> Wed, 19 Sep 2018 07:35:17 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-execute-a-two-pattern-search-where-the-first-pattern/m-p/382140#M167532 jeevananm06 2018-09-19T07:35:17Z