Hi,
I would like to display results if both user and src_user field is match but it shows an "unbalanced parentheses" error.
Main search:
index=windows ...... NOT (same_login_macro
)
| table src_user, user
Macro for same_login_macro
:
"failed" | where src_user=user
Can someone help - how to return search result when value of both field matched using "where" or other workable method for us in macro?
Hello @SplunkNewbie18
Try this: index=windows ...... NOT same_login_macro
| table src_user, user
Hello @SplunkNewbie18
Try this: index=windows ...... NOT same_login_macro
| table src_user, user
Hmm...nope it doesnt work. Returns me 0 result. 😞 im using the macros as whitelisting concept to exclude events from the results.
can u explain in depth what do u want
As per the macro definition, this will be the search
index=windows ...... NOT "failed" | where src_user=user
| table src_user, user
This will be search which is running in background. could you please let me the exact requirement. What is required as the above search is " Searching for events in windows index, then filter the events which is not having "failed" keyword and the searching for events where sec_user = user"
I have mutiple macros in the main search but simplyfying it for illustartion purposes. For instance:
Main search
index=windows NOT macro1
NOT macro2
Macro 1
"success" user="admin"
Macro 2
"failed" | where src_user=user
If you suggest to put NOT macro2
it will not work as they will perform the NOT condition and then followed by where -> (NOT "failed") | where src_user=user. Whereas what im looking for is NOT the results found in ("failed" | where src_user=user).
I think,you need to try subsearch in this case:
like
index=windows NOT `macro1` | search NOT [ search index=windows "failed" | where src_user=user]
OR
index=windows NOT macro1 | search NOT [`macro2` ]
MACRO2:
search index=windows "failed" | where src_user=user
Ohhh great! It workss. Thanks vishal!
@SplunkNewbie18
No Problem 🙂
Can you please accept the answer to close the thread.