https://community.splunk.com/t5/Splunk-Search/Application-Logging-Select-events-that-don-t-have-certain-values/m-p/595854#M207408 <P>I think if I use NOT [subsearch] this will work.</P> Thu, 28 Apr 2022 21:08:10 GMT charbaugh77 2022-04-28T21:08:10Z https://community.splunk.com/t5/Splunk-Search/Application-Logging-Select-events-that-don-t-have-certain-values/m-p/595851#M207407 <P>I have a .net core application that logs various events with properties (WorkItem, EventName, etc).<BR /><BR />I need to query WorkItems that have never had certain events kinda like a SQL NOT Exists.&nbsp; I can filter out the events I don't want but I cannot select where they never existed.<BR /><BR /><U>WorkItem | Event<BR /></U>1234&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; | Task Created<BR />1234&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; | Retrieval Ready<BR />1234&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; | NIGO Completed<BR />5678&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; | Retrieval Ready<BR />9012&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; | Task Created<BR />9012&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; | Retrieval Ready<BR /><BR />The query should return all WorkItems with events that equal Retrieval Ready and not NIGO Completed...example result.<BR /><BR /><U>WorkItem | Event<BR /></U>5678&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; | Retrieval Ready<BR />9012&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; | Retrieval Ready<BR /><BR /><BR /></P> Thu, 28 Apr 2022 20:56:08 GMT https://community.splunk.com/t5/Splunk-Search/Application-Logging-Select-events-that-don-t-have-certain-values/m-p/595851#M207407 charbaugh77 2022-04-28T20:56:08Z https://community.splunk.com/t5/Splunk-Search/Application-Logging-Select-events-that-don-t-have-certain-values/m-p/595854#M207408 <P>I think if I use NOT [subsearch] this will work.</P> Thu, 28 Apr 2022 21:08:10 GMT https://community.splunk.com/t5/Splunk-Search/Application-Logging-Select-events-that-don-t-have-certain-values/m-p/595854#M207408 charbaugh77 2022-04-28T21:08:10Z https://community.splunk.com/t5/Splunk-Search/Application-Logging-Select-events-that-don-t-have-certain-values/m-p/595890#M207425 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/245349">@charbaugh77</a>,</P><P>you have two choices:</P><UL><LI>use a subsearch, following the hint from&nbsp;@charbaug77</LI><LI>&nbsp;goup events anf filter them.</LI></UL><P>the first solution is easier but in general has the limitation of 50,000 results and probably it isn't your case.</P><P>Anyway, first solution:</P><LI-CODE lang="markup">index=your_index NOT [ search index=your_index "Task Created"="NIGO Completed" | fields WorkItem ] | table WorkItem Event</LI-CODE><P>second option:</P><LI-CODE lang="markup">index=your_index | stats values(Event) AS Event count(eval(if("Task Created"="NIGO Completed",1,0))) AS check BY WorkItem | where check=0 | mvexpand Event | table WorkItem Event</LI-CODE><P>Ciao.</P><P>Giuseppe</P><P>&nbsp;</P> Fri, 29 Apr 2022 06:50:00 GMT https://community.splunk.com/t5/Splunk-Search/Application-Logging-Select-events-that-don-t-have-certain-values/m-p/595890#M207425 gcusello 2022-04-29T06:50:00Z https://community.splunk.com/t5/Splunk-Search/Application-Logging-Select-events-that-don-t-have-certain-values/m-p/596186#M207538 <P>Thank you&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>!</P><P>&nbsp;</P><P>I'm trying to understand the second option.&nbsp; This doesn't make sense to me.&nbsp; How is Task Created=NIGO Completed?</P><LI-CODE lang="markup">count(eval(if("Task Created"="NIGO Completed",1,0)))</LI-CODE><P><BR />This does seem to work better but I would like to understand more for future reference.</P><P><BR />Corey</P> Mon, 02 May 2022 18:01:17 GMT https://community.splunk.com/t5/Splunk-Search/Application-Logging-Select-events-that-don-t-have-certain-values/m-p/596186#M207538 charbaugh77 2022-05-02T18:01:17Z https://community.splunk.com/t5/Splunk-Search/Application-Logging-Select-events-that-don-t-have-certain-values/m-p/596213#M207548 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/245349">@charbaugh77</a>,</P><P>the second option is very useful when you have to check a condition and you cannot use subsearches because the subsearch could have more than 50,000 results (this is the limit of subsearches).</P><P>It works grouping for the common key and identifying a condition in bot the main and secondary search (in your case the eval command).</P><P>Ciao.</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated by all the Contributors <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Tue, 03 May 2022 06:35:10 GMT https://community.splunk.com/t5/Splunk-Search/Application-Logging-Select-events-that-don-t-have-certain-values/m-p/596213#M207548 gcusello 2022-05-03T06:35:10Z https://community.splunk.com/t5/Splunk-Search/Application-Logging-Select-events-that-don-t-have-certain-values/m-p/596264#M207568 <P>Hello again&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;<span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>I'm wonder how eval part works.&nbsp; To me this would always be 0.&nbsp; When would this condition every equal 1 and how does it work?<BR /><BR /></P><LI-CODE lang="markup">if("Task Created"="NIGO Completed",1,0)</LI-CODE><P>&nbsp;</P><P>Thanks again <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 03 May 2022 14:12:25 GMT https://community.splunk.com/t5/Splunk-Search/Application-Logging-Select-events-that-don-t-have-certain-values/m-p/596264#M207568 charbaugh77 2022-05-03T14:12:25Z https://community.splunk.com/t5/Splunk-Search/Application-Logging-Select-events-that-don-t-have-certain-values/m-p/596266#M207570 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/245349">@charbaugh77</a>,</P><P>in few words, the count in stats command runs only when the condition is matched.</P><P>I needed much time to understand how to use eval in stats!</P><P>In addition, a little hint: avoid field names (as e.g. "Task Created") using spaces or dots or "-", because you have always to use quotes and somethimes in the eval command it doesn't work.</P><P>Ciao.</P><P>Giuseppe</P> Tue, 03 May 2022 14:23:27 GMT https://community.splunk.com/t5/Splunk-Search/Application-Logging-Select-events-that-don-t-have-certain-values/m-p/596266#M207570 gcusello 2022-05-03T14:23:27Z https://community.splunk.com/t5/Splunk-Search/Application-Logging-Select-events-that-don-t-have-certain-values/m-p/596270#M207571 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;-&nbsp;Task Created is not a field name.&nbsp; Its a field value for the Events field.&nbsp; Did you get confused?&nbsp; See the original post, please.</P> Tue, 03 May 2022 14:57:25 GMT https://community.splunk.com/t5/Splunk-Search/Application-Logging-Select-events-that-don-t-have-certain-values/m-p/596270#M207571 charbaugh77 2022-05-03T14:57:25Z https://community.splunk.com/t5/Splunk-Search/Application-Logging-Select-events-that-don-t-have-certain-values/m-p/596271#M207572 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/245349">@charbaugh77</a>,</P><P>sorry! use "Event" as field name in all the eval statements!</P><P>Ciao.</P><P>Giuseppe</P> Tue, 03 May 2022 15:02:36 GMT https://community.splunk.com/t5/Splunk-Search/Application-Logging-Select-events-that-don-t-have-certain-values/m-p/596271#M207572 gcusello 2022-05-03T15:02:36Z https://community.splunk.com/t5/Splunk-Search/Application-Logging-Select-events-that-don-t-have-certain-values/m-p/596272#M207573 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;Thank you...this was very confusing to me.</P><P>&nbsp;</P><P>Cheers</P> Tue, 03 May 2022 15:06:00 GMT https://community.splunk.com/t5/Splunk-Search/Application-Logging-Select-events-that-don-t-have-certain-values/m-p/596272#M207573 charbaugh77 2022-05-03T15:06:00Z