Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to write a search to implement NOT IN functionality in SQL along with eval?

ShubhamWanne
Explorer
‎12-21-2022 06:08 AM

I am new to splunk and working on a complex query where;
I am supposed to implement NOT IN functionality in SQL along with eval

I want to skip all the IN-PROGRESS events who later went into COMPLETED state, and display all the events which are still in IN-PROGRESS state.

For example
COMPLETED events:

event1
event5
event4
event7

IN-PROGRESS events:

event3
event1
event4

Expected result
event3

Given below are the queries to fetch COMPLETED and IN-PROGRESS events:

index=abc message="*COMPLETED*" | eval splitStr=split(message, ",") | eval eventName=mvindex(splitStr,1) | table eventName
index=abc message="*IN-PROGRESS*" | eval splitStr=split(message, ",") | eval eventName=mvindex(splitStr,1) | table eventName


Thank you in advance.

Labels (1)
Labels
Tags (3)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-21-2022 06:30 AM

Collect all IN-PROGRESS and COMPLETED events.  Keep only the most recent event for each unique identifier.  Discard the COMPLETED events and what is left will be those IN-PROGRESS and not COMPLETED.

index=abc (message="*IN-PROGRESS*" OR message="*COMPLETED*") 
| eval splitStr=split(message, ",") 
| eval eventName=mvindex(splitStr,1) 
| dedup eventName
| where NOT match(message, "COMPLETED")
| table eventName
---
If this reply helps you, Karma would be appreciated.
Reply

ShubhamWanne
Explorer
‎12-21-2022 07:58 AM

I appreciate the quick reponse @richgalloway 

but this query fails in scenario where:
COMPLETED (C)
Event1, Event2, Event3 and

IN-PROGRESS (I-P)
Event1, Event2, Event2, Event2

Then

index=abc (message="*IN-PROGRESS*" OR message="*COMPLETED*") 
| eval splitStr=split(message, ",") 
| eval eventName=mvindex(splitStr,1)

 This query will list
Event1(C), Event1(I-P), Event2(I-P),Event2(I-P),Event2(I-P),Event2(C),Event3(C)

and  

| dedup eventName

will return
 Event1(C), Event2(I-P),Event3(C)

and

| where NOT match(message, "COMPLETED")


will return 

Event2


Ideally, result should be 0.

Thank you.

Tags (3)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-21-2022 12:12 PM

My query assumes events are in reverse time order, which is the default.  If that is not the case for your data then please advise so I can revise the query.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

ShubhamWanne
Explorer
‎12-21-2022 06:28 PM

IN-PROGRESS events are random and can have duplicate events name, they don't follow any kind of order as such.

Thank you.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-22-2022 06:41 AM

If IN-PROGRESS arrives after COMPLETE then I would think the event is now in progress.  OTOH, if the logic is if COMPLETE is seen at any time then IN_PROGRESS must be ignored then try this query.

index=abc (message="*IN-PROGRESS*" OR message="*COMPLETED*") 
| eval splitStr=split(message, ",") 
| eval eventName=mvindex(splitStr,1) 
| stats values(message) as messages by eventName
| where isnull(mvfind(messages, "COMPLETED"))
| table eventName
---
If this reply helps you, Karma would be appreciated.
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...