Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Conditional search

zzhao05
New Member
‎11-12-2019 11:45 AM

Below is the log example.
Fri Oct 11 20:01:48 2019: History was not closed with a proper agent termination after the above date.
Fri Oct 11 20:01:48 2019: Repairing of history database started...
Fri Oct 11 20:01:48 2019: NumRead 48 NumWritten 48
Fri Oct 11 20:01:48 2019: Successfully fixed parameter history database.
Fri Oct 11 20:01:48 2019: NumRead 48 NumWritten 48
Fri Oct 11 20:01:48 2019: Successfully fixed annotation database.
Fri Oct 11 20:01:48 2019: Repairing of history database was completed successfully

The first and last lines were the 2 strings that I was looking for in the log.

I wanted to create a search to return a list of servers' name where only string 1 is found and string2 is NOT. Because it's parsed as a separate event for each timestamp, simple "search1 NOT search2" doesn't work. I tried subsearch like search string 1 NOT [search string 2] and it still didn't work as what I expected. Any idea? Thanks.

Zhang

0 Karma
Reply

zzhao05
New Member
‎11-12-2019 01:35 PM

Attached is the snapshot.. It's not what I was looking for.. I need a list of server names..

Preview file
1 KB
0 Karma
Reply

mayurr98
Super Champion
‎11-12-2019 01:58 PM

yeah, so that's what you are getting. add |table server at the end. I am assuming that all the servers are stored in a field. if not then you would have to extract it.

0 Karma
Reply

zzhao05
New Member
‎11-12-2019 02:33 PM

Cool... Thank you very much!! It worked.

0 Karma
Reply

mayurr98
Super Champion
‎11-12-2019 12:10 PM

try this:

index=<your_index> |  eval field=case(like(_raw,"%History was not closed with a proper agent termination after the above date%"),"value1",like(_raw,"%Repairing of history database was completed successfully%"),"value2") 
|  stats dc(field) as dc_field values(field) as field by server 
| where dc_field="1" AND field=value1
0 Karma
Reply

mayurr98
Super Champion
‎11-13-2019 06:33 AM

If it works for you please accept the answer to close this question.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...