How to use the NOT operator for combination of two words.
In my log I need to eliminate the errors by considering the combination of the words.
"2013.02.12-03:11:40.818(PST)|sessionid1----|messageid1|clientid1|messageName1|severname1:instance1|exception1 : nullpointer1 exception in the request" 2013.02.12-03:11:40.819(PST)|sessionid2----|messageid2|clientid2|messageName2|severname2:instance2|exception2 : nullpointer2 exception in the request" 2013.02.12-03:11:40.818(PST)|sessionid----|messageid|clientid|messageName|severname:instance|exception : nullpointer exception in the request" 2013.02.12-03:11:40.830(PST)|sessionid3----|messageid3|clientid3|messageName3|severname3:instance3|exception3 : nullpointer3 exception in the request"
I need to eliminate the logs statements which comes with nullpointers and the messageNames
I have written the query as:
source="error_log" host=severname NOT ("messageName1 AND nullpointer1") OR NOT ("messageName2 AND nullpointer2") OR NOT ("messageName3 AND nullpointer3")
if i use this query in splunk, sometime i am able to view the logs which i need to eliminate.
Could you please anyone help me is there any wrong in my query, please let em know the best optimisation.
I want to eliminate the lines with combination of "messageName1 and nullpointer1". So i have wrritten as query as NOT ("messageName1 AND nullpointer1").
if the line contains both the words, it should not be displayed. But when i am writting this query i am able to see the lines with the combination of these words.
Could you please advice me to write a correct query.
The way you've placed your double quotes doesn't treat AND as a keyword; it's looking for an entire string reading literally "messageName1 AND nullpointer1", which doesn't seem to appear in your data as such. Place quotes around individual words, like
NOT ("messageName1" AND "nullpointer1").