Archive

Using "NOT" in splunk ?

New Member

How to use the NOT operator for combination of two words.

In my log I need to eliminate the errors by considering the combination of the words.

"2013.02.12-03:11:40.818(PST)|sessionid1----|messageid1|clientid1|messageName1|severname1:instance1|exception1 : nullpointer1 exception in the request"
2013.02.12-03:11:40.819(PST)|sessionid2----|messageid2|clientid2|messageName2|severname2:instance2|exception2 : nullpointer2 exception in the request"
2013.02.12-03:11:40.818(PST)|sessionid----|messageid|clientid|messageName|severname:instance|exception : nullpointer exception in the request"
2013.02.12-03:11:40.830(PST)|sessionid3----|messageid3|clientid3|messageName3|severname3:instance3|exception3 : nullpointer3 exception in the request"

I need to eliminate the logs statements which comes with nullpointers and the messageNames

I have written the query as:

source="error_log" host=severname NOT ("messageName1 AND nullpointer1") OR NOT ("messageName2 AND nullpointer2") OR NOT ("messageName3 AND nullpointer3")

if i use this query in splunk, sometime i am able to view the logs which i need to eliminate.
Could you please anyone help me is there any wrong in my query, please let em know the best optimisation.

Tags (1)
0 Karma

Splunk Employee
Splunk Employee

The way you've placed your double quotes doesn't treat AND as a keyword; it's looking for an entire string reading literally "messageName1 AND nullpointer1", which doesn't seem to appear in your data as such. Place quotes around individual words, like NOT ("messageName1" AND "nullpointer1").

New Member

I want to eliminate the lines with combination of "messageName1 and nullpointer1". So i have wrritten as query as NOT ("messageName1 AND nullpointer1").

if the line contains both the words, it should not be displayed. But when i am writting this query i am able to see the lines with the combination of these words.

Could you please advice me to write a correct query.

0 Karma

Communicator

Isn't a simple

source="error_log" host=servername NOT nullpointer* 

what you're looking for?