Re: Filtering the events excluding certain word fr...

deepak_93 · ‎06-09-2020

I need to filter the event which does not contain word "error".

For example, I have events containing-
"POST /operation/requiredword"
"POST /operation/requiredword | error".

I want to count only the "POST /operation/requiredword" and exclude the "POST /operation/requiredword | error".

Here is the query I am using right now and it is giving me both the events with and without containing "error":

index="depat-test-app"
| rex "DN: (?<ConsumingApp>.*?)[}\s]"
| rex field=_raw "(?<Passed>(POST \/opertion\/requiredword))
| stats count(passed) by ConsumingApp

What I want is something like this:

index="depat-test-app" | rex "DN: (?<ConsumingApp>.*?)[}\s]" | rex field=_raw "(?<Passed>(POST \/operation\/requiredword NOT error )) | stats count(passed) by ConsumingApp

vnravikumar · ‎06-10-2020

Hi

Try this

| makeresults 
| eval test="\"POST /operation/requiredword\",\"POST /operation/requiredword | error\"" 
| makemv delim="," test 
| mvexpand test 
| regex test!="(\| error)"

Filtering the events excluding certain word from regex

table

Shape the Future of Splunk: Join the Product Research Lab!

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Are you a member of the Splunk Community?

Filtering the events excluding certain word from regex

table

Shape the Future of Splunk: Join the Product Research Lab!

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions