Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Exclude certain log with specific attribute from a search that has mutiple sources

Abdulm1
Explorer
‎01-26-2020 07:26 AM

I am trying creating a report that will run on schedule which combines different sourcetype to run from the datamodel like below.

| datamodel Email All_Email search
| search sourcetype = "ms0365log OR sourcetype = "emaillog" OR sourcetype=exchange2019 OR sourcetype=maillog

In the sourcetype=maillog i want during the search to exclude any maillog event that has final_rule!=scanning from the result. When I run the below command for one sourcetype it works well, but when I add the mutiple source type like above it fails.

Single sourcetype works fine
| datamodel Email All_Email search
| search sourcetype = "maillog" |spath final_rule | search final_rule!=scanning

Multiple sourcetype fails

| datamodel Email All_Email search
| search sourcetype = "ms0365log OR sourcetype = "emaillog" OR sourcetype=exchange2019 OR sourcetype=maillog "|spath final_rule | search final_rule!=scanning"
|
any ideas and I don't mind removing spath

0 Karma
Reply

to4kawa
Ultra Champion
‎01-26-2020 10:19 PM 
| datamodel Email All_Email search
| search "ms0365log" OR "emaillog" OR "exchange2019" OR "maillog"
| spath final_rule 
| search final_rule!=scanning

why don't you search strings?

Reply

Abdulm1
Explorer
‎01-26-2020 10:56 PM

@to4kawa When i used the search strings you gave above all other sourcetype events are not searched. I guess they are excluded because the other sourcetype do not have final_rule field .

0 Karma
Reply

to4kawa
Ultra Champion
‎01-26-2020 11:06 PM

Has your goal been achieved? if that is, please accept the answer.

0 Karma
Reply

Abdulm1
Explorer
‎01-27-2020 03:13 AM

No it has not been achieved as I only want logs from maillog that has the field final_rule=scanning to be excluded from the report , but now what happens is that the other source type entirely are all excluded as well, which is not what I want . I want to exclusion to be specific to one particular sourtcetype.

Thanks.

0 Karma
Reply

to4kawa
Ultra Champion
‎01-27-2020 04:05 AM

I am not sure the results OK.

 | datamodel Email All_Email search
 | search "ms0365log" OR "emaillog" OR "exchange2019" OR "maillog"

this is OK?

0 Karma
Reply

Abdulm1
Explorer
‎01-27-2020 04:08 AM

That works fine but the events with this fields "final_rule!=scanning" from maillog is not excluded which is what am trying to achieve. Thanks for your reply

0 Karma
Reply

to4kawa
Ultra Champion
‎01-27-2020 04:39 AM 
 | datamodel Email All_Email search
 | search "ms0365log" OR "emaillog" OR "exchange2019" OR "maillog"
 | search NOT ( "final_rule" AND "scanning") 
 | spath final_rule

How's this?

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...