Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Comparing matching fields in macro

SplunkNewbie18
New Member
‎01-29-2019 08:40 PM

Hi,

I would like to display results if both user and src_user field is match but it shows an "unbalanced parentheses" error.

Main search:
index=windows ...... NOT (same_login_macro)
| table src_user, user

Macro for same_login_macro:
"failed" | where src_user=user

Can someone help - how to return search result when value of both field matched using "where" or other workable method for us in macro?

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

vishaltaneja070
Motivator
‎01-29-2019 10:24 PM

Hello @SplunkNewbie18

Try this: index=windows ...... NOT same_login_macro
| table src_user, user

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

vishaltaneja070
Motivator
‎01-29-2019 10:24 PM

Hello @SplunkNewbie18

Try this: index=windows ...... NOT same_login_macro
| table src_user, user

0 Karma
Reply
Solved! Jump to solution

SplunkNewbie18
New Member
‎01-29-2019 11:51 PM

Hmm...nope it doesnt work. Returns me 0 result. 😞 im using the macros as whitelisting concept to exclude events from the results.

0 Karma
Reply
Solved! Jump to solution

harishalipaka
Motivator
‎01-30-2019 12:09 AM

can u explain in depth what do u want

Thanks
Harish
0 Karma
Reply
Solved! Jump to solution

vishaltaneja070
Motivator
‎01-30-2019 12:04 AM

As per the macro definition, this will be the search
index=windows ...... NOT "failed" | where src_user=user
| table src_user, user

This will be search which is running in background. could you please let me the exact requirement. What is required as the above search is " Searching for events in windows index, then filter the events which is not having "failed" keyword and the searching for events where sec_user = user"

0 Karma
Reply
Solved! Jump to solution

SplunkNewbie18
New Member
‎01-30-2019 12:17 AM

I have mutiple macros in the main search but simplyfying it for illustartion purposes. For instance:

Main search
index=windows NOT macro1 NOT macro2

Macro 1
"success" user="admin"

Macro 2
"failed" | where src_user=user

If you suggest to put NOT macro2 it will not work as they will perform the NOT condition and then followed by where -> (NOT "failed") | where src_user=user. Whereas what im looking for is NOT the results found in ("failed" | where src_user=user).

0 Karma
Reply
Solved! Jump to solution

vishaltaneja070
Motivator
‎01-30-2019 12:31 AM

I think,you need to try subsearch in this case:
like

 index=windows NOT `macro1` | search NOT [ search index=windows "failed" | where src_user=user]

OR 

 index=windows NOT macro1 | search NOT [`macro2` ]

MACRO2:

 search index=windows "failed" | where src_user=user
0 Karma
Reply
Solved! Jump to solution

SplunkNewbie18
New Member
‎01-30-2019 09:56 PM

Ohhh great! It workss. Thanks vishal!

0 Karma
Reply
Solved! Jump to solution

vishaltaneja070
Motivator
‎01-30-2019 10:26 PM

@SplunkNewbie18

No Problem 🙂
Can you please accept the answer to close the thread.

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...