Hi All,
Need your help on finding a solution for below problem..
This is how my data appear in Index.
I want to filter only data having value like "SPLUNK" or "SPLUNK,HTSV" or "SPLUNK,CHECK" etc from all the following labels (labels,label1,label2,label3,label4). I want to exclude following data "SPLUNK-AUTOCHECK" , "SPLUNK-Mining", "DATA,SPLUNK-TRANSACTION",SPLUNK_TRANSACTION","SPLUNK-AUTO","SPLUNK_AUTO". I want to remove all the value which start with "SPLUNK-************" , "SPLUNK_************"
I was trying to filter using the below query . But I'm unable to achieve it.
index=**** labels="SPLUNK" OR label1="SPLUNK" OR label2="SPLUNK" OR label4="SPLUNK"
When i use above query. I'm getting following values "SPLUNK-AUTO","DATA,SPLUNK-TRANSACTION","SPLUNK","SPLUNK,HTSV","SPLUNK-AUTOCHECK" . But i need only values like "SPLUNK".
I can able to achieve it with below mentioned query. But still i want to achieve it without NOT condition.
index=**** labels="SPLUNK" OR label1="SPLUNK" OR label2="SPLUNK" OR label4="SPLUNK" NOT "SPLUNK-"
Thanks in advance...
@niketnilay ,
Labels,label1, label2,label3, label4 won't be available in all events. One event may contain atleast one label or may be 2, 3 labels. Max one event can contain minimum 1 labels and maximum 5 labels. I need to fetch data only having value as "SPLUNK". Etc mean there are n number of combination value with "SPLUNK" . I have provided little sample data here ..
Any update on above query ?
@shankarananth do your events have labels, label1, label2 and label4 available in each event?
In your question you have mentioned that you need values of "SPLUNK" or "SPLUNK,HTSV" or "SPLUNK,CHECK" etc
but in your filter you have just used "SPLUNK". What is
etc`? Are there fixed number of combinations or patterns?
In you question you have mentioned filter to be applied on all label fields i.e. labels,label1,label2,label3,label4 but in your query label3 is not present. Is it not required for filtering?
Following is a run anywhere search which generates data as per your question:
| makeresults
| eval labels="Project,SPLUNK-TRANSACTION", label1="SPLUNK-AUTO", label2="SPLUNK-AUTOCHECK",label3="SPLUNK-AUTOCHECK",label4="SPLUNK-Minig"
| append
[| makeresults
| eval labels="SPLUNK-AUTO", label1="SPLUNK", label2="SPLUNK-Mining",label3="SPLUNK-Evaluate",label4="SPLUNK"]
| append
[| makeresults
| eval labels="DATA,SPLUNK-TRANSACTION", label1="SPLUNK-AUTO", label2="SPLUNK-TRANSACTION,Fill",label3="SPLUNK",label4="SPLUNK,HTSV"]
| append
[| makeresults
| eval labels="SPLUNK,HTSV", label1="SPLUNK,HTSV", label2="SPLUNK,HTSV",label3="SPLUNK,Search",label4="SPLUNK,Data mining"]
| append
[| makeresults
| eval labels="KT,SPLUNK-HTSV", label1="SPLUNK_TRANSACTION", label2="SPLUNK",label3="SPLUNK",label4="SPLUNK,Super Store"]
| append
[| makeresults
| eval labels="KT,SPLUNK-HTSV,htsv", label1="SPLUNK,CHECK", label2="SPLUNK,CHECK",label3="SPLUNK,CHECK",label4="SPLUNK"]
| append
[| makeresults
| eval labels="SPLUNK", label2="SPLUNK,HTSV",label3="SPLUNK,CHECK",label4="SPLUNK_AUTO"]
| table labels label*
Based on your question and sample data following check will give all rows that are present in your data i.e. with filter "SPLUNK","SPLUNK,HTSV","SPLUNK,CHECK"
applied on labels, label1, label2 and label4
fields:
| search labels IN ( "SPLUNK","SPLUNK,HTSV","SPLUNK,CHECK" ) OR label1 IN ( "SPLUNK","SPLUNK,HTSV","SPLUNK,CHECK" ) OR label2 IN ( "SPLUNK","SPLUNK,HTSV","SPLUNK,CHECK" ) OR label4 IN ( "SPLUNK","SPLUNK,HTSV","SPLUNK,CHECK" )
Following is a query similar to your question with only SPLUNK
filter applied on labels, label1, label2 and label4
fields:
| search labels="SPLUNK" OR label1="SPLUNK" OR label2="SPLUNK" OR label4="SPLUNK"
It returns 4 of the 7 rows provided in your data. Which are the rows you think are listed incorrectly? Do you need some specific columns to be removed instead?
Please add more clarification.
@niketnilay ,
Labels,label1, label2,label3, label4 won't be available in all events. One event may contain atleast one label or may be 2, 3 labels. Max one event can contain minimum 1 labels and maximum 5 labels. I need to fetch data only having value as "SPLUNK". Etc mean there are n number of combination value with "SPLUNK" . I have provided little sample data here ..
@niketnilay ,
If you have some update. Please let me know ..