Archive
Highlighted

Using "NOT" in splunk ?

New Member

How to use the NOT operator for combination of two words.

In my log I need to eliminate the errors by considering the combination of the words.

"2013.02.12-03:11:40.818(PST)|sessionid1----|messageid1|clientid1|messageName1|severname1:instance1|exception1 : nullpointer1 exception in the request"
2013.02.12-03:11:40.819(PST)|sessionid2----|messageid2|clientid2|messageName2|severname2:instance2|exception2 : nullpointer2 exception in the request"
2013.02.12-03:11:40.818(PST)|sessionid----|messageid|clientid|messageName|severname:instance|exception : nullpointer exception in the request"
2013.02.12-03:11:40.830(PST)|sessionid3----|messageid3|clientid3|messageName3|severname3:instance3|exception3 : nullpointer3 exception in the request"

I need to eliminate the logs statements which comes with nullpointers and the messageNames

I have written the query as:

source="error_log" host=severname NOT ("messageName1 AND nullpointer1") OR NOT ("messageName2 AND nullpointer2") OR NOT ("messageName3 AND nullpointer3")

if i use this query in splunk, sometime i am able to view the logs which i need to eliminate.
Could you please anyone help me is there any wrong in my query, please let em know the best optimisation.

Tags (1)
0 Karma
Highlighted

Re: Using "NOT" in splunk ?

Communicator

Isn't a simple

source="error_log" host=servername NOT nullpointer* 

what you're looking for?

Highlighted

Re: Using "NOT" in splunk ?

New Member

I want to eliminate the lines with combination of "messageName1 and nullpointer1". So i have wrritten as query as NOT ("messageName1 AND nullpointer1").

if the line contains both the words, it should not be displayed. But when i am writting this query i am able to see the lines with the combination of these words.

Could you please advice me to write a correct query.

0 Karma
Highlighted

Re: Using "NOT" in splunk ?

Splunk Employee
Splunk Employee

The way you've placed your double quotes doesn't treat AND as a keyword; it's looking for an entire string reading literally "messageName1 AND nullpointer1", which doesn't seem to appear in your data as such. Place quotes around individual words, like NOT ("messageName1" AND "nullpointer1").