topic Re: Back ground exclusion in Splunk Search

Back ground exclusion

cpeteman — Thu, 08 Aug 2013 22:02:16 GMT

So I have search and I would like to exclude all of those results from some future searches. Aside from specifying some by NOT, which given the length of the first search would be questionable at best. Is there a way to make this exclusion in the backgrounmd not in search?

Here is the search:

search terms  | eval TimeInHour=_time%3600 
| rex mode=sed "s/ \d{4}-\d{1,2}-\d{1,2} \d{1,2}:\d{1,2}:\d{1,2}//g" 
| stats first(_raw) by punct,TimeInHour,_raw,_time 
|  stats count by _raw,TimeInHour,punct 
|  addinfo| eval hours = round((info_max_time - info_min_time)/3600,0) 
| where count > hours-1

Re: Back ground exclusion

sdaniels — Fri, 09 Aug 2013 12:58:47 GMT

Updated:

In this case, you'll want to use a macros and that will allow you to reference the macro and simplify the look of the search and if you ever need to use it in an adhoc fashion you'll just need to remember the macro.

http://docs.splunk.com/Documentation/Splunk/5.0.4/Search/Usesearchmacros

Re: Back ground exclusion

cpeteman — Fri, 09 Aug 2013 17:15:23 GMT

So I tried creating an event type but the search I have is too complicated and gives me:

" Message: Eventtype search string cannot be a search pipeline or contain a subsearch"

Want me to post the full search?

Re: Back ground exclusion

sdaniels — Fri, 09 Aug 2013 17:37:31 GMT

Lets see the search and what you are trying to simplify. Eventtype will be for anything narrowing down search without and pipes like sourcetype='x' AND error NOT failure NOT critical NOT down. A macros can make use of pipes however. Depends on what you are trying to achieve.

http://docs.splunk.com/Documentation/Splunk/5.0.4/Search/Usesearchmacros

Re: Back ground exclusion

cpeteman — Fri, 09 Aug 2013 17:44:19 GMT

I posted as you can see it needs quite a bit of piping

Re: Back ground exclusion

sdaniels — Fri, 09 Aug 2013 17:52:15 GMT

Updated above. You can use the SED command at index time and mask or delete data as well. However, that would affect all future searches of that data.

Re: Back ground exclusion

cpeteman — Fri, 09 Aug 2013 17:59:03 GMT

So I got the marco running as hourly when I search:

hourly I get the results I would expect

However excluding

search terms NOThourly``

gives no results which is not what I expected or want.

Re: Back ground exclusion

sdaniels — Fri, 09 Aug 2013 18:04:33 GMT

You can't use a macro in that way with NOT. However you write the macro the intent should be that it filters out what you don't want to see.

Re: Back ground exclusion

cpeteman — Fri, 09 Aug 2013 18:05:45 GMT

Ah ok,,,,,

Re: Back ground exclusion

cpeteman — Fri, 09 Aug 2013 18:28:44 GMT

Having trouble, based on the posted search do you know how I would make the filter macro?

Re: Back ground exclusion

cpeteman — Fri, 09 Aug 2013 20:44:39 GMT

I made a new question as a follow up, but I've not forgotten this one. if it gets answered and it turns out that macro's are the way to go I'll mark this as the right answers 😉