Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Conditional search

zzhao05
New Member
‎11-12-2019 11:45 AM

Below is the log example.
Fri Oct 11 20:01:48 2019: History was not closed with a proper agent termination after the above date.
Fri Oct 11 20:01:48 2019: Repairing of history database started...
Fri Oct 11 20:01:48 2019: NumRead 48 NumWritten 48
Fri Oct 11 20:01:48 2019: Successfully fixed parameter history database.
Fri Oct 11 20:01:48 2019: NumRead 48 NumWritten 48
Fri Oct 11 20:01:48 2019: Successfully fixed annotation database.
Fri Oct 11 20:01:48 2019: Repairing of history database was completed successfully

The first and last lines were the 2 strings that I was looking for in the log.

I wanted to create a search to return a list of servers' name where only string 1 is found and string2 is NOT. Because it's parsed as a separate event for each timestamp, simple "search1 NOT search2" doesn't work. I tried subsearch like search string 1 NOT [search string 2] and it still didn't work as what I expected. Any idea? Thanks.

Zhang

0 Karma
Reply

zzhao05
New Member
‎11-12-2019 01:35 PM

Attached is the snapshot.. It's not what I was looking for.. I need a list of server names..

Preview file
66 KB
0 Karma
Reply

mayurr98
Super Champion
‎11-12-2019 01:58 PM

yeah, so that's what you are getting. add |table server at the end. I am assuming that all the servers are stored in a field. if not then you would have to extract it.

0 Karma
Reply

zzhao05
New Member
‎11-12-2019 02:33 PM

Cool... Thank you very much!! It worked.

0 Karma
Reply

mayurr98
Super Champion
‎11-12-2019 12:10 PM

try this:

index=<your_index> |  eval field=case(like(_raw,"%History was not closed with a proper agent termination after the above date%"),"value1",like(_raw,"%Repairing of history database was completed successfully%"),"value2") 
|  stats dc(field) as dc_field values(field) as field by server 
| where dc_field="1" AND field=value1
0 Karma
Reply

mayurr98
Super Champion
‎11-13-2019 06:33 AM

If it works for you please accept the answer to close this question.

0 Karma
Reply
Get Updates on the Splunk Community!

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

As we step into 2026, it’s the perfect moment to reflect on what an extraordinary year 2025 was for the Splunk ...

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Overview Enterprise Security 8.3 introduces a powerful new feature called “Entity Risk Scoring” (ERS) for ...

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...