Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Conditional search

zzhao05
New Member
‎11-12-2019 11:45 AM

Below is the log example.
Fri Oct 11 20:01:48 2019: History was not closed with a proper agent termination after the above date.
Fri Oct 11 20:01:48 2019: Repairing of history database started...
Fri Oct 11 20:01:48 2019: NumRead 48 NumWritten 48
Fri Oct 11 20:01:48 2019: Successfully fixed parameter history database.
Fri Oct 11 20:01:48 2019: NumRead 48 NumWritten 48
Fri Oct 11 20:01:48 2019: Successfully fixed annotation database.
Fri Oct 11 20:01:48 2019: Repairing of history database was completed successfully

The first and last lines were the 2 strings that I was looking for in the log.

I wanted to create a search to return a list of servers' name where only string 1 is found and string2 is NOT. Because it's parsed as a separate event for each timestamp, simple "search1 NOT search2" doesn't work. I tried subsearch like search string 1 NOT [search string 2] and it still didn't work as what I expected. Any idea? Thanks.

Zhang

0 Karma
Reply

zzhao05
New Member
‎11-12-2019 01:35 PM

Attached is the snapshot.. It's not what I was looking for.. I need a list of server names..

Preview file
1 KB
0 Karma
Reply

mayurr98
Super Champion
‎11-12-2019 01:58 PM

yeah, so that's what you are getting. add |table server at the end. I am assuming that all the servers are stored in a field. if not then you would have to extract it.

0 Karma
Reply

zzhao05
New Member
‎11-12-2019 02:33 PM

Cool... Thank you very much!! It worked.

0 Karma
Reply

mayurr98
Super Champion
‎11-12-2019 12:10 PM

try this:

index=<your_index> |  eval field=case(like(_raw,"%History was not closed with a proper agent termination after the above date%"),"value1",like(_raw,"%Repairing of history database was completed successfully%"),"value2") 
|  stats dc(field) as dc_field values(field) as field by server 
| where dc_field="1" AND field=value1
0 Karma
Reply

mayurr98
Super Champion
‎11-13-2019 06:33 AM

If it works for you please accept the answer to close this question.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...