Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Conditional search

zzhao05
New Member
‎11-12-2019 11:45 AM

Below is the log example.
Fri Oct 11 20:01:48 2019: History was not closed with a proper agent termination after the above date.
Fri Oct 11 20:01:48 2019: Repairing of history database started...
Fri Oct 11 20:01:48 2019: NumRead 48 NumWritten 48
Fri Oct 11 20:01:48 2019: Successfully fixed parameter history database.
Fri Oct 11 20:01:48 2019: NumRead 48 NumWritten 48
Fri Oct 11 20:01:48 2019: Successfully fixed annotation database.
Fri Oct 11 20:01:48 2019: Repairing of history database was completed successfully

The first and last lines were the 2 strings that I was looking for in the log.

I wanted to create a search to return a list of servers' name where only string 1 is found and string2 is NOT. Because it's parsed as a separate event for each timestamp, simple "search1 NOT search2" doesn't work. I tried subsearch like search string 1 NOT [search string 2] and it still didn't work as what I expected. Any idea? Thanks.

Zhang

0 Karma
Reply

zzhao05
New Member
‎11-12-2019 01:35 PM

Attached is the snapshot.. It's not what I was looking for.. I need a list of server names..

Preview file
66 KB
0 Karma
Reply

mayurr98
Super Champion
‎11-12-2019 01:58 PM

yeah, so that's what you are getting. add |table server at the end. I am assuming that all the servers are stored in a field. if not then you would have to extract it.

0 Karma
Reply

zzhao05
New Member
‎11-12-2019 02:33 PM

Cool... Thank you very much!! It worked.

0 Karma
Reply

mayurr98
Super Champion
‎11-12-2019 12:10 PM

try this:

index=<your_index> |  eval field=case(like(_raw,"%History was not closed with a proper agent termination after the above date%"),"value1",like(_raw,"%Repairing of history database was completed successfully%"),"value2") 
|  stats dc(field) as dc_field values(field) as field by server 
| where dc_field="1" AND field=value1
0 Karma
Reply

mayurr98
Super Champion
‎11-13-2019 06:33 AM

If it works for you please accept the answer to close this question.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

How to find the worst searches in your Splunk environment and how to fix them

Everyone knows Splunk is a powerful platform for running searches and doing data analytics. Your ...

Share Your Feedback: On Admin Config Service (ACS)!

Help Us Build a Better Admin Config Service Experience (ACS)   We Want Your Feedback on Admin Config Service ...

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...