topic Re: If an event with "removed" appears, how to exclude all other events with the same ID from search results? in Splunk Search

If an event with "removed" appears, how to exclude all other events with the same ID from search results?

spsdoit — Mon, 19 Jan 2015 13:12:29 GMT

The events look like this:

DATE=2015-01-19;TIME=10:34:20;STATUS=INFO;ID=57689;JOB=;ACTION=updateCounter;REASON=NotDigital

DATE=2015-01-19;TIME=10:34:20;STATUS=INFO;ID=30689;JOB=;ACTION=updateCounter;REASON=NotDigital

DATE=2015-01-19;TIME=10:34:20;STATUS=INFO;ID=57689;JOB=;ACTION=updateCounter;REASON=Digital

DATE=2015-01-19;TIME=10:34:20;STATUS=INFO;ID=30689;JOB=;ACTION=updateCounter;REASON=Digital

I do group them in a transaction (transaction ID, REASON).
It does happen that the ORDER gets deleted by the application owner. Then I do have the following event:

DATE=2015-01-09;TIME=14:04:30;STATUS=INFO; JOB=HousekeepingTask;ACTION=deleteFromFileSystem;REASON=Order 30689 removed from file system by user example

search looks like

search Index=applicationX sourcetype=application | transaction ID, REASON maxspan=350000s | chart stuff ...

I know I could remove them from the results with NOT ID=XXXYYY, but I need to remove them as soon the orders are removed by the Application.

Thank you very much for any suggestion.

Re: If an event with "removed" appears, how to exclude all other events with the same ID from search results?

richgalloway — Mon, 19 Jan 2015 14:38:48 GMT

Perhaps something like this?

search index=applicationX sourcetype=application | transaction ID maxspan=350000s | where NOT like(REASON,"% removed %") | chart stuff ...

I removed REASON from the transaction command so all events with the same ID will be in the same transaction. Then the where command should eliminate transactions with "remove" in the REASON field.

Re: If an event with "removed" appears, how to exclude all other events with the same ID from search results?

spsdoit — Mon, 19 Jan 2015 14:47:16 GMT

Thank you. This won't work because you example removes only the event (or transaction) with removed in it.
As you can see, the REASON field has different value. I tried that.
The search needs to somehow get the ID from in the remove-event in a variable and then NOT ID like...
Sorry if my explanation is misleading.

Re: If an event with "removed" appears, how to exclude all other events with the same ID from search results?

richgalloway — Mon, 19 Jan 2015 16:30:27 GMT

According to the manual, the where command should remove the entire transaction.
The key is making sure all events with the same ID are the same transaction. That is why I use only the ID field in the transaction command.

Re: If an event with "removed" appears, how to exclude all other events with the same ID from search results?

spsdoit — Thu, 22 Jan 2015 12:44:12 GMT

Well yes, indeed this will work, need to add a transaction with REASON at the end.:

search index=applicationX sourcetype=application | transaction ID maxspan=350000s | where NOT like(REASON,"% removed %") | transaction REASON | chart stuff ...

It can happen that I do have have smth like 250000 event's, this will may slow the report down. I will give it a tray to accelerate the search.
Otherwise, I will summarize, then create the report on the summary index.
Thank you richgalloway.