Archive
Highlighted

How do you execute a two pattern search where the first pattern host(is a field ) should be ignored on second pattern search?

New Member

I was executing my search on a log file.

This is the pattern i want to search ** END ABCD234** hour>00 where this shouldn't be searched on several host(servers).

The host that needs to be ignored can be identified by this pattern "DISABLE" "END" hour>00

Here, hour is a field extracted from timestamp (Example:01:15:38- here 01 was extracted).

Please let me know if more info needed.

0 Karma
Highlighted

Re: How do you execute a two pattern search where the first pattern host(is a field ) should be ignored on second pattern search?

Champion

looks like do-able task....
yes, more info needed please..

0 Karma
Highlighted

Re: How do you execute a two pattern search where the first pattern host(is a field ) should be ignored on second pattern search?

Motivator

If "DISABLE" is the keyword that need to be ignored, then specify this before the hour field.

Like, index=idx END NOT "DISABLE" | where hour>00. If this is not what you're looking for, then please provide sample events which has these keywords.

0 Karma
Highlighted

Re: How do you execute a two pattern search where the first pattern host(is a field ) should be ignored on second pattern search?

SplunkTrust
SplunkTrust

It seems like you want to search which has END ABCD234 hour>00 as pattern (event 1) but does not have DISABLE END hour>00 (separate event 2). If that's the case, you can try something like this

index=yourindex sourcetype=yoursourcetype END ABCD234 hour>00 NOT [search index=yourindex sourcetype=yoursourcetype DISABLE END hour>00 | stats count by host | table host ]

The subsearch would exclude all the hosts that have DISABLE END hour>00 events, from the main search result.

View solution in original post

0 Karma
Highlighted

Re: How do you execute a two pattern search where the first pattern host(is a field ) should be ignored on second pattern search?

New Member

Thanks for your help

0 Karma
Highlighted

Re: How do you execute a two pattern search where the first pattern host(is a field ) should be ignored on second pattern search?

Legend

@jeevananm06 if your issue is resolved do accept this answer to mark your question as answered!




| eval message="Happy Splunking!!!"


0 Karma
Highlighted

Re: How do you execute a two pattern search where the first pattern host(is a field ) should be ignored on second pattern search?

New Member

Done Thanks for your help

0 Karma