Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Exclude certain log with specific attribute from a search that has mutiple sources

Abdulm1
Explorer
‎01-26-2020 07:26 AM

I am trying creating a report that will run on schedule which combines different sourcetype to run from the datamodel like below.

| datamodel Email All_Email search
| search sourcetype = "ms0365log OR sourcetype = "emaillog" OR sourcetype=exchange2019 OR sourcetype=maillog

In the sourcetype=maillog i want during the search to exclude any maillog event that has final_rule!=scanning from the result. When I run the below command for one sourcetype it works well, but when I add the mutiple source type like above it fails.

Single sourcetype works fine
| datamodel Email All_Email search
| search sourcetype = "maillog" |spath final_rule | search final_rule!=scanning

Multiple sourcetype fails

| datamodel Email All_Email search
| search sourcetype = "ms0365log OR sourcetype = "emaillog" OR sourcetype=exchange2019 OR sourcetype=maillog "|spath final_rule | search final_rule!=scanning"
|
any ideas and I don't mind removing spath

0 Karma
Reply

to4kawa
Ultra Champion
‎01-26-2020 10:19 PM 
| datamodel Email All_Email search
| search "ms0365log" OR "emaillog" OR "exchange2019" OR "maillog"
| spath final_rule 
| search final_rule!=scanning

why don't you search strings?

Reply

Abdulm1
Explorer
‎01-26-2020 10:56 PM

@to4kawa When i used the search strings you gave above all other sourcetype events are not searched. I guess they are excluded because the other sourcetype do not have final_rule field .

0 Karma
Reply

to4kawa
Ultra Champion
‎01-26-2020 11:06 PM

Has your goal been achieved? if that is, please accept the answer.

0 Karma
Reply

Abdulm1
Explorer
‎01-27-2020 03:13 AM

No it has not been achieved as I only want logs from maillog that has the field final_rule=scanning to be excluded from the report , but now what happens is that the other source type entirely are all excluded as well, which is not what I want . I want to exclusion to be specific to one particular sourtcetype.

Thanks.

0 Karma
Reply

to4kawa
Ultra Champion
‎01-27-2020 04:05 AM

I am not sure the results OK.

 | datamodel Email All_Email search
 | search "ms0365log" OR "emaillog" OR "exchange2019" OR "maillog"

this is OK?

0 Karma
Reply

Abdulm1
Explorer
‎01-27-2020 04:08 AM

That works fine but the events with this fields "final_rule!=scanning" from maillog is not excluded which is what am trying to achieve. Thanks for your reply

0 Karma
Reply

to4kawa
Ultra Champion
‎01-27-2020 04:39 AM 
 | datamodel Email All_Email search
 | search "ms0365log" OR "emaillog" OR "exchange2019" OR "maillog"
 | search NOT ( "final_rule" AND "scanning") 
 | spath final_rule

How's this?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...