Solved: Back ground exclusion

cpeteman · ‎08-08-2013

So I have search and I would like to exclude all of those results from some future searches. Aside from specifying some by NOT, which given the length of the first search would be questionable at best. Is there a way to make this exclusion in the backgrounmd not in search?

Here is the search:

search terms  | eval TimeInHour=_time%3600 
| rex mode=sed "s/ \d{4}-\d{1,2}-\d{1,2} \d{1,2}:\d{1,2}:\d{1,2}//g" 
| stats first(_raw) by punct,TimeInHour,_raw,_time 
|  stats count by _raw,TimeInHour,punct 
|  addinfo| eval hours = round((info_max_time - info_min_time)/3600,0) 
| where count > hours-1

sdaniels · ‎08-09-2013

Updated:

In this case, you'll want to use a macros and that will allow you to reference the macro and simplify the look of the search and if you ever need to use it in an adhoc fashion you'll just need to remember the macro.

http://docs.splunk.com/Documentation/Splunk/5.0.4/Search/Usesearchmacros

View solution in original post

sdaniels · ‎08-09-2013

Updated:

In this case, you'll want to use a macros and that will allow you to reference the macro and simplify the look of the search and if you ever need to use it in an adhoc fashion you'll just need to remember the macro.

http://docs.splunk.com/Documentation/Splunk/5.0.4/Search/Usesearchmacros

cpeteman · ‎08-09-2013

I made a new question as a follow up, but I've not forgotten this one. if it gets answered and it turns out that macro's are the way to go I'll mark this as the right answers 😉

cpeteman · ‎08-09-2013

Having trouble, based on the posted search do you know how I would make the filter macro?

cpeteman · ‎08-09-2013

Ah ok,,,,,

sdaniels · ‎08-09-2013

You can't use a macro in that way with NOT. However you write the macro the intent should be that it filters out what you don't want to see.

cpeteman · ‎08-09-2013

So I got the marco running as hourly when I search:

hourly I get the results I would expect

However excluding

search terms NOThourly``

gives no results which is not what I expected or want.

sdaniels · ‎08-09-2013

Updated above. You can use the SED command at index time and mask or delete data as well. However, that would affect all future searches of that data.

cpeteman · ‎08-09-2013

I posted as you can see it needs quite a bit of piping

sdaniels · ‎08-09-2013

Lets see the search and what you are trying to simplify. Eventtype will be for anything narrowing down search without and pipes like sourcetype='x' AND error NOT failure NOT critical NOT down. A macros can make use of pipes however. Depends on what you are trying to achieve.

http://docs.splunk.com/Documentation/Splunk/5.0.4/Search/Usesearchmacros

cpeteman · ‎08-09-2013

So I tried creating an event type but the search I have is too complicated and gives me:

" Message: Eventtype search string cannot be a search pipeline or contain a subsearch"

Want me to post the full search?

Back ground exclusion

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Splunk Community Badges!

How to find the worst searches in your Splunk environment and how to fix them

Share Your Feedback: On Admin Config Service (ACS)!

Join the Conversation

Back ground exclusion

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Splunk Community Badges!

How to find the worst searches in your Splunk environment and how to fix them

Share Your Feedback: On Admin Config Service (ACS)!