Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Comparing matching fields in macro

SplunkNewbie18
New Member
‎01-29-2019 08:40 PM

Hi,

I would like to display results if both user and src_user field is match but it shows an "unbalanced parentheses" error.

Main search:
index=windows ...... NOT (same_login_macro)
| table src_user, user

Macro for same_login_macro:
"failed" | where src_user=user

Can someone help - how to return search result when value of both field matched using "where" or other workable method for us in macro?

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

vishaltaneja070
Motivator
‎01-29-2019 10:24 PM

Hello @SplunkNewbie18

Try this: index=windows ...... NOT same_login_macro
| table src_user, user

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

vishaltaneja070
Motivator
‎01-29-2019 10:24 PM

Hello @SplunkNewbie18

Try this: index=windows ...... NOT same_login_macro
| table src_user, user

0 Karma
Reply
Solved! Jump to solution

SplunkNewbie18
New Member
‎01-29-2019 11:51 PM

Hmm...nope it doesnt work. Returns me 0 result. 😞 im using the macros as whitelisting concept to exclude events from the results.

0 Karma
Reply
Solved! Jump to solution

harishalipaka
Motivator
‎01-30-2019 12:09 AM

can u explain in depth what do u want

Thanks
Harish
0 Karma
Reply
Solved! Jump to solution

vishaltaneja070
Motivator
‎01-30-2019 12:04 AM

As per the macro definition, this will be the search
index=windows ...... NOT "failed" | where src_user=user
| table src_user, user

This will be search which is running in background. could you please let me the exact requirement. What is required as the above search is " Searching for events in windows index, then filter the events which is not having "failed" keyword and the searching for events where sec_user = user"

0 Karma
Reply
Solved! Jump to solution

SplunkNewbie18
New Member
‎01-30-2019 12:17 AM

I have mutiple macros in the main search but simplyfying it for illustartion purposes. For instance:

Main search
index=windows NOT macro1 NOT macro2

Macro 1
"success" user="admin"

Macro 2
"failed" | where src_user=user

If you suggest to put NOT macro2 it will not work as they will perform the NOT condition and then followed by where -> (NOT "failed") | where src_user=user. Whereas what im looking for is NOT the results found in ("failed" | where src_user=user).

0 Karma
Reply
Solved! Jump to solution

vishaltaneja070
Motivator
‎01-30-2019 12:31 AM

I think,you need to try subsearch in this case:
like

 index=windows NOT `macro1` | search NOT [ search index=windows "failed" | where src_user=user]

OR 

 index=windows NOT macro1 | search NOT [`macro2` ]

MACRO2:

 search index=windows "failed" | where src_user=user
0 Karma
Reply
Solved! Jump to solution

SplunkNewbie18
New Member
‎01-30-2019 09:56 PM

Ohhh great! It workss. Thanks vishal!

0 Karma
Reply
Solved! Jump to solution

vishaltaneja070
Motivator
‎01-30-2019 10:26 PM

@SplunkNewbie18

No Problem 🙂
Can you please accept the answer to close the thread.

0 Karma
Reply
Get Updates on the Splunk Community!

What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025

This month, we’re delivering several new innovations in Splunk Observability Cloud and Splunk AppDynamics ...

Getting Started with Splunk Artificial Intelligence, Insights for Nonprofits, and ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Observability Cloud’s AI Assistant in Action Series: Identifying Unknown ...

Agentic AI powers the Splunk AI Assistant within the Splunk Observability Cloud interface to help you quickly ...
Top