How do you write a query that lists events from so...

maniishpawar · ‎01-09-2019

Hi,

I am trying to write a query to list events from source type A only when the corresponding event in source type B does not contain a specific event code. I believe the only correlation element here is the _time.

Real scenario: every time we deploy a build, there are some entries in a log file, but IIS server also generate an error event code at that time. I wanted to capture the IIS errors only when there is no build deployment.

Thanks

maniishpawar · ‎01-10-2019

Thank you for the query. but i tried using transactions it grouped the events but I dont have a way to say
startwith and does not endwith
| transaction host maxspan=2m startswith=(EventCode="5009") NOT (endswith=(EventCode="10003"))

kmorris_splunk · ‎01-09-2019

Try a subsearch, something like this:

sourcetype=access_combined NOT 
    [ search sourcetype=linux_secure 
    | eval clientip=dest 
    | fields clientip]

If the fieldnames are the same in each source, you won't need to do the eval that I did in my subsearch. This search above will show all of the clientip field values, within the time frame that I am searching, where those ip addresses aren't in the linux_secure sourcetype in the dest field.

I know this isn't specific to your data sources, but hopefully, you can extrapolate the concept to use in your search.

How do you write a query that lists events from source type A only when a corresponding event in source type B doesn't contain a specific event code?

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!