Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Comparing matching fields in macro

SplunkNewbie18
New Member
‎01-29-2019 08:40 PM

Hi,

I would like to display results if both user and src_user field is match but it shows an "unbalanced parentheses" error.

Main search:
index=windows ...... NOT (same_login_macro)
| table src_user, user

Macro for same_login_macro:
"failed" | where src_user=user

Can someone help - how to return search result when value of both field matched using "where" or other workable method for us in macro?

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

vishaltaneja070
Motivator
‎01-29-2019 10:24 PM

Hello @SplunkNewbie18

Try this: index=windows ...... NOT same_login_macro
| table src_user, user

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

vishaltaneja070
Motivator
‎01-29-2019 10:24 PM

Hello @SplunkNewbie18

Try this: index=windows ...... NOT same_login_macro
| table src_user, user

0 Karma
Reply
Solved! Jump to solution

SplunkNewbie18
New Member
‎01-29-2019 11:51 PM

Hmm...nope it doesnt work. Returns me 0 result. 😞 im using the macros as whitelisting concept to exclude events from the results.

0 Karma
Reply
Solved! Jump to solution

harishalipaka
Motivator
‎01-30-2019 12:09 AM

can u explain in depth what do u want

Thanks
Harish
0 Karma
Reply
Solved! Jump to solution

vishaltaneja070
Motivator
‎01-30-2019 12:04 AM

As per the macro definition, this will be the search
index=windows ...... NOT "failed" | where src_user=user
| table src_user, user

This will be search which is running in background. could you please let me the exact requirement. What is required as the above search is " Searching for events in windows index, then filter the events which is not having "failed" keyword and the searching for events where sec_user = user"

0 Karma
Reply
Solved! Jump to solution

SplunkNewbie18
New Member
‎01-30-2019 12:17 AM

I have mutiple macros in the main search but simplyfying it for illustartion purposes. For instance:

Main search
index=windows NOT macro1 NOT macro2

Macro 1
"success" user="admin"

Macro 2
"failed" | where src_user=user

If you suggest to put NOT macro2 it will not work as they will perform the NOT condition and then followed by where -> (NOT "failed") | where src_user=user. Whereas what im looking for is NOT the results found in ("failed" | where src_user=user).

0 Karma
Reply
Solved! Jump to solution

vishaltaneja070
Motivator
‎01-30-2019 12:31 AM

I think,you need to try subsearch in this case:
like

 index=windows NOT `macro1` | search NOT [ search index=windows "failed" | where src_user=user]

OR 

 index=windows NOT macro1 | search NOT [`macro2` ]

MACRO2:

 search index=windows "failed" | where src_user=user
0 Karma
Reply
Solved! Jump to solution

SplunkNewbie18
New Member
‎01-30-2019 09:56 PM

Ohhh great! It workss. Thanks vishal!

0 Karma
Reply
Solved! Jump to solution

vishaltaneja070
Motivator
‎01-30-2019 10:26 PM

@SplunkNewbie18

No Problem 🙂
Can you please accept the answer to close the thread.

0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...