Splunk Search

Comparing matching fields in macro

SplunkNewbie18
New Member

Hi,

I would like to display results if both user and src_user field is match but it shows an "unbalanced parentheses" error.

Main search:
index=windows ...... NOT (same_login_macro)
| table src_user, user

Macro for same_login_macro:
"failed" | where src_user=user

Can someone help - how to return search result when value of both field matched using "where" or other workable method for us in macro?

Tags (3)
0 Karma
1 Solution

vishaltaneja070
Motivator

Hello @SplunkNewbie18

Try this: index=windows ...... NOT same_login_macro
| table src_user, user

View solution in original post

0 Karma

vishaltaneja070
Motivator

Hello @SplunkNewbie18

Try this: index=windows ...... NOT same_login_macro
| table src_user, user

0 Karma

SplunkNewbie18
New Member

Hmm...nope it doesnt work. Returns me 0 result. 😞 im using the macros as whitelisting concept to exclude events from the results.

0 Karma

harishalipaka
Motivator

can u explain in depth what do u want

Thanks
Harish
0 Karma

vishaltaneja070
Motivator

As per the macro definition, this will be the search
index=windows ...... NOT "failed" | where src_user=user
| table src_user, user

This will be search which is running in background. could you please let me the exact requirement. What is required as the above search is " Searching for events in windows index, then filter the events which is not having "failed" keyword and the searching for events where sec_user = user"

0 Karma

SplunkNewbie18
New Member

I have mutiple macros in the main search but simplyfying it for illustartion purposes. For instance:

Main search
index=windows NOT macro1 NOT macro2

Macro 1
"success" user="admin"

Macro 2
"failed" | where src_user=user

If you suggest to put NOT macro2 it will not work as they will perform the NOT condition and then followed by where -> (NOT "failed") | where src_user=user. Whereas what im looking for is NOT the results found in ("failed" | where src_user=user).

0 Karma

vishaltaneja070
Motivator

I think,you need to try subsearch in this case:
like

 index=windows NOT `macro1` | search NOT [ search index=windows "failed" | where src_user=user]

OR

 index=windows NOT macro1 | search NOT [`macro2` ]

MACRO2:

 search index=windows "failed" | where src_user=user
0 Karma

SplunkNewbie18
New Member

Ohhh great! It workss. Thanks vishal!

0 Karma

vishaltaneja070
Motivator

@SplunkNewbie18

No Problem 🙂
Can you please accept the answer to close the thread.

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...