Solved: Checking log if some values exist

ivana27 · ‎06-04-2021

Hello Splunkers,

please help.

I have two types of search result and i want to make alert only when 1.) occured:

1.) 2021-05-18 13:15:46.433 [Information] Downtime start:18/05/2021 11:15:46.431 sdsSrv:NotAvailable...

2.)2021-05-18 11:23:46.285 [Information] Downtime start:18/05/2021 06:05:29.241, end:18/05/2021 09:23:46.278

So, how to make search where i will get those results containing log with 'Downtime start' and not ones with 'end'

Thank you

gcusello · ‎06-04-2021

you have to run a simple search like the following:

index=your_index "Downtime start" NOT "end"
| ...

or

index=your_index "Downtime start" "sdsSrv:NotAvailable"
| ...

The second one is more performant because a positive condition is always quicker than a negative condition.

Ciao.

Giuseppe

gcusello · ‎06-04-2021

you have to run a simple search like the following:

index=your_index "Downtime start" NOT "end"
| ...

or

index=your_index "Downtime start" "sdsSrv:NotAvailable"
| ...

The second one is more performant because a positive condition is always quicker than a negative condition.

Ciao.

Giuseppe

Checking log if some values exist