Conditional search

zzhao05 · ‎11-12-2019

Below is the log example.
Fri Oct 11 20:01:48 2019: History was not closed with a proper agent termination after the above date.
Fri Oct 11 20:01:48 2019: Repairing of history database started...
Fri Oct 11 20:01:48 2019: NumRead 48 NumWritten 48
Fri Oct 11 20:01:48 2019: Successfully fixed parameter history database.
Fri Oct 11 20:01:48 2019: NumRead 48 NumWritten 48
Fri Oct 11 20:01:48 2019: Successfully fixed annotation database.
Fri Oct 11 20:01:48 2019: Repairing of history database was completed successfully

The first and last lines were the 2 strings that I was looking for in the log.

I wanted to create a search to return a list of servers' name where only string 1 is found and string2 is NOT. Because it's parsed as a separate event for each timestamp, simple "search1 NOT search2" doesn't work. I tried subsearch like search string 1 NOT [search string 2] and it still didn't work as what I expected. Any idea? Thanks.

Zhang

zzhao05 · ‎11-12-2019

Attached is the snapshot.. It's not what I was looking for.. I need a list of server names..

mayurr98 · ‎11-12-2019

yeah, so that's what you are getting. add |table server at the end. I am assuming that all the servers are stored in a field. if not then you would have to extract it.

zzhao05 · ‎11-12-2019

Cool... Thank you very much!! It worked.

mayurr98 · ‎11-12-2019

try this:

index=<your_index> |  eval field=case(like(_raw,"%History was not closed with a proper agent termination after the above date%"),"value1",like(_raw,"%Repairing of history database was completed successfully%"),"value2") 
|  stats dc(field) as dc_field values(field) as field by server 
| where dc_field="1" AND field=value1

mayurr98 · ‎11-13-2019

If it works for you please accept the answer to close this question.

Conditional search

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!