Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Display sources which do not have a string

nbk7e9d
New Member
‎08-27-2013 11:50 AM

Hello,

When I restart a large application with hundreds of processes, I can see a string like "startup successful" from the logs.

How can I display a list of host and sources which do not have this string?

host1:/a/b/c1/file1.log
host1:/a/b/c2/file2.log
host1:/a/b/c3/file3.log
host2:/a/b/c1/file1.log
host2:/a/b/c2/file2.log
host2:/a/b/c3/file3.log
...

Suppose host99:/a/b/c13/file23.log did not have the "startup successful" string. How would I display that?

Tags (3)
0 Karma
Reply

kristian_kolb
Ultra Champion
‎08-27-2013 12:34 PM

Proving the negative is a bit harder than opposite. Assuming that all of those files are of the same sourcetype, one approach is to use a simple subsearch;

sourcetype=XXX earliest=-15m NOT [search sourcetype=XXX earliest=-15m "startup successful" | dedup host, source | fields + host, source] | dedup host, source | table host, source

Set the earliest time at the time of the restart, so you don't get irrelevant older events included. In this case I gave the application 15 minutes to startup, before running the search so-to-speak.

/K

Reply

nbk7e9d
New Member
‎08-28-2013 10:35 AM

The double negative type question is confusing me. 🙂 This search will give me a table of hosts,logs that do NOT have "start successful" message from the time I choose in the TimePicker.

0 Karma
Reply

HiroshiSatoh
Champion
‎08-27-2013 07:28 PM

Is not output to the list if any (host log is not output) host has not been activated within the specified time that it is the search is present but OK?

0 Karma
Reply

nbk7e9d
New Member
‎08-27-2013 03:01 PM

Since I'm selecting a custom time from the timepicker and my sourcetypes aren't exactly the same, I used:

host=host* sourcetype=logs* NOT [search host=host* sourcetype=logs* "startup successful" | dedup host, source | fields + host, source] | dedup host, source | table host, source

This works nicely. Thanks!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Building on the foundation established in our initial Value Insights releases, we are introducing the Savings ...

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...