https://community.splunk.com/t5/Splunk-Search/Partially-eliminate-error-message-in-Splunk-query/m-p/671865#M230216 <P>Hi,</P><P>below are the log details.</P><P>index=ABC sourcetype=logging_0</P><P>Below are the values of "ErrorMessages" field:</P><P>invalid - 5 count</P><P>unprocessable - 7 count (5 invalid pair + 2 others)</P><P>no user foundv- 3 count</P><P>invalid message process - 3 count</P><P>process failed- 3 count</P><P>&nbsp;</P><P>Now I have to eliminate ErrorMessage=invalid and ErrorMessage=unprocessable. Then show all other&nbsp; ErrorMessage.</P><P>But the problem here is , "unprocessable" ErrorMessage will show for other messages as well. so we cannot fully eliminate the&nbsp;"unprocessable" ErrorMessage.</P><P>Whenever "Invalid" ErrorMessage is logging that time "unprocessable" ErrorMessage also will be logged. So we need to eliminate this pair only. Not every "unprocessable" ErrorMessage.</P><P>&nbsp;</P><P>Expected result:</P><P>unprocessable - 2 count</P><P>no user foundv- 3 count</P><P>invalid message process - 3 count</P><P>process failed- 3 count</P><P>&nbsp;</P><P>I tried with join using requestId but its not resulting anything because i am using</P><P>| search ErrorMessage="Invalid" and elimated this in next query so its not searching for other ErrorMessages.</P><P>&nbsp;</P><P>Can someone please help.</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 14 Dec 2023 08:54:15 GMT Dharani 2023-12-14T08:54:15Z https://community.splunk.com/t5/Splunk-Search/Partially-eliminate-error-message-in-Splunk-query/m-p/671865#M230216 <P>Hi,</P><P>below are the log details.</P><P>index=ABC sourcetype=logging_0</P><P>Below are the values of "ErrorMessages" field:</P><P>invalid - 5 count</P><P>unprocessable - 7 count (5 invalid pair + 2 others)</P><P>no user foundv- 3 count</P><P>invalid message process - 3 count</P><P>process failed- 3 count</P><P>&nbsp;</P><P>Now I have to eliminate ErrorMessage=invalid and ErrorMessage=unprocessable. Then show all other&nbsp; ErrorMessage.</P><P>But the problem here is , "unprocessable" ErrorMessage will show for other messages as well. so we cannot fully eliminate the&nbsp;"unprocessable" ErrorMessage.</P><P>Whenever "Invalid" ErrorMessage is logging that time "unprocessable" ErrorMessage also will be logged. So we need to eliminate this pair only. Not every "unprocessable" ErrorMessage.</P><P>&nbsp;</P><P>Expected result:</P><P>unprocessable - 2 count</P><P>no user foundv- 3 count</P><P>invalid message process - 3 count</P><P>process failed- 3 count</P><P>&nbsp;</P><P>I tried with join using requestId but its not resulting anything because i am using</P><P>| search ErrorMessage="Invalid" and elimated this in next query so its not searching for other ErrorMessages.</P><P>&nbsp;</P><P>Can someone please help.</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 14 Dec 2023 08:54:15 GMT https://community.splunk.com/t5/Splunk-Search/Partially-eliminate-error-message-in-Splunk-query/m-p/671865#M230216 Dharani 2023-12-14T08:54:15Z https://community.splunk.com/t5/Splunk-Search/Partially-eliminate-error-message-in-Splunk-query/m-p/671890#M230220 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/230685">@Dharani</a>&nbsp;- I think you explained the question well, but you need to provide sample logs to explain what do you mean by pair of error events.</P><P>&nbsp;</P> Thu, 14 Dec 2023 12:39:10 GMT https://community.splunk.com/t5/Splunk-Search/Partially-eliminate-error-message-in-Splunk-query/m-p/671890#M230220 VatsalJagani 2023-12-14T12:39:10Z https://community.splunk.com/t5/Splunk-Search/Partially-eliminate-error-message-in-Splunk-query/m-p/671993#M230243 <P>sample logs:</P><P>1.<SPAN>IBroker call failed, sessionId=855762c0-9a6b, requestId=bc819b42-6646, request=PUT&nbsp; responseStatus=422&nbsp; response={"ErrorCode":0,"UserMessage":null,"DeveloperMessage":null,"DocumentationUrl":null,"LogId":null,"ValidationErrors":"Invalid product ","Parameters":null}</SPAN></P><P><SPAN>2.</SPAN><SPAN>&nbsp;sessionId=855762c0-9a6b, requestId=bc819b42-6646, request=PUT&nbsp;responseStatus=422 &nbsp;ErrorMessage: unprocessable</SPAN></P><P>&nbsp;</P><P><SPAN>3.</SPAN><SPAN>sessionId=855762c0-9a6b, requestId=bc819b42-6646, request=PUT&nbsp; responseStatus=422&nbsp;ErrorMessage: unprocessable</SPAN></P><P><SPAN>1st 2 logs should be eliminated because they share same requestId, 3 rd logs should be shown.</SPAN></P><P>&nbsp;</P> Fri, 15 Dec 2023 07:40:23 GMT https://community.splunk.com/t5/Splunk-Search/Partially-eliminate-error-message-in-Splunk-query/m-p/671993#M230243 Dharani 2023-12-15T07:40:23Z https://community.splunk.com/t5/Splunk-Search/Partially-eliminate-error-message-in-Splunk-query/m-p/672001#M230244 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/230685">@Dharani</a>&nbsp;- Do you want to see only the last event per RequestId? (like only the latest error per request is right info?)</P><P>&nbsp;</P> Fri, 15 Dec 2023 08:25:15 GMT https://community.splunk.com/t5/Splunk-Search/Partially-eliminate-error-message-in-Splunk-query/m-p/672001#M230244 VatsalJagani 2023-12-15T08:25:15Z https://community.splunk.com/t5/Splunk-Search/Partially-eliminate-error-message-in-Splunk-query/m-p/672004#M230246 <P>Yes , sorry for the typo.&nbsp;</P><P>3rd logs has different requestId. I mistakenly pasted the same requestId.</P> Fri, 15 Dec 2023 09:55:44 GMT https://community.splunk.com/t5/Splunk-Search/Partially-eliminate-error-message-in-Splunk-query/m-p/672004#M230246 Dharani 2023-12-15T09:55:44Z https://community.splunk.com/t5/Splunk-Search/Partially-eliminate-error-message-in-Splunk-query/m-p/672011#M230248 <P>Based on your latest update, the problem should be restated as: remove events with requestId that has a corresponding ValidationErrors value of "Invalid product". (I assume that the trailing space in sample data is a typo.) Is this correct?</P><P>In the format illustrated in sample data, Splunk should have given you compliant JSON in ValidationErrors. &nbsp;Process this first, then literally implement the restated objective.</P><P>&nbsp;</P><LI-CODE lang="markup">| spath input=response | stats values(*) as * by sessionId request requestId responseStatus | where NOT ValidationErrors == "Invalid product"</LI-CODE><P>&nbsp;</P><P>Your sample data will leave you with</P><TABLE><TBODY><TR><TD>sessionId</TD><TD>request</TD><TD>requestId</TD><TD>responseStatus</TD><TD>DeveloperMessage</TD><TD>DocumentationUrl</TD><TD>ErrorCode</TD><TD>LogId</TD><TD>Parameters</TD><TD>UserMessage</TD><TD>ValidationErrors</TD></TR><TR><TD>855762c0-9a6b</TD><TD>PUT</TD><TD>bc819b42-6655</TD><TD>422</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD></TR></TBODY></TABLE><P>This is the emulation used to test the method:</P><P>&nbsp;</P><LI-CODE lang="markup">| makeresults | fields - _time | eval data = mvappend("IBroker call failed, sessionId=855762c0-9a6b, requestId=bc819b42-6646, request=PUT responseStatus=422 response={\"ErrorCode\":0,\"UserMessage\":null,\"DeveloperMessage\":null,\"DocumentationUrl\":null,\"LogId\":null,\"ValidationErrors\":\"Invalid product\",\"Parameters\":null}", "sessionId=855762c0-9a6b, requestId=bc819b42-6646, request=PUT responseStatus=422 ErrorMessage: unprocessable", "sessionId=855762c0-9a6b, requestId=bc819b42-6655, request=PUT responseStatus=422 ErrorMessage: unprocessable") | mvexpand data | rename data AS _raw | extract ``` data emulation above ```</LI-CODE><P>&nbsp;</P> Fri, 15 Dec 2023 10:56:16 GMT https://community.splunk.com/t5/Splunk-Search/Partially-eliminate-error-message-in-Splunk-query/m-p/672011#M230248 yuanliu 2023-12-15T10:56:16Z https://community.splunk.com/t5/Splunk-Search/Partially-eliminate-error-message-in-Splunk-query/m-p/672174#M230283 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/230685">@Dharani</a>&nbsp;- Try response by&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/33901">@yuanliu</a>&nbsp;</P> Mon, 18 Dec 2023 10:38:07 GMT https://community.splunk.com/t5/Splunk-Search/Partially-eliminate-error-message-in-Splunk-query/m-p/672174#M230283 VatsalJagani 2023-12-18T10:38:07Z