Solved: Exclude value based on subsearch

ngerosa · ‎06-29-2017

Hello,
I want to exclude some values if that have the field SPAN_LOSS_MAX=50 between midnight to 7 a.m.

This is my approach:

But this search returns also values that are in the subsearch.

Any Ideas?

Thanks!

somesoni2 · ‎06-29-2017

Why not just do this

index="flap" DELTA_SPAN>=3 |eval Hour=tonumber(strftime(_time,"%H") )
| where NOT (SPAN_LOSS_MAX=50 AND Hour>=0 AND Hour<7)
|dedup CONCATENATE_Z sortby +_time
| eval Hour=strftime(_time,"%H") 
| chart count as FLAP by Hour

View solution in original post

somesoni2 · ‎06-29-2017

Why not just do this

index="flap" DELTA_SPAN>=3 |eval Hour=tonumber(strftime(_time,"%H") )
| where NOT (SPAN_LOSS_MAX=50 AND Hour>=0 AND Hour<7)
|dedup CONCATENATE_Z sortby +_time
| eval Hour=strftime(_time,"%H") 
| chart count as FLAP by Hour

ngerosa · ‎06-29-2017

Thanks it works! Just a question:
if I want to exclude also 11 p.m.?
I tried | where NOT (SPAN_LOSS_MAX=50 AND Hour>=0 AND Hour<7 AND Hour !=23 ) but it didn't work.
Thanks

somesoni2 · ‎06-29-2017

Try this

...| where NOT (SPAN_LOSS_MAX=50 AND Hour>=23 AND Hour<7)

ngerosa · ‎06-29-2017

I've already tried but it didn't work.

rafaelsalazar · ‎06-29-2017

NOT (SPAN_LOSS_MAX=50 AND ((Hour>=0 AND Hour<7) OR Hour=23))

ngerosa · ‎06-29-2017

Thank you! It works!

rafaelsalazar · ‎06-29-2017

Hello ngerosa,

There is already a default hour extraction called date_hour.. if you don't have it, I will recommend building the extraction yourself to be able to filter since search command.

index="flap" DELTA_SPAN>=3 NOT NOT (SPAN_LOSS_MAX=50 AND date_hour>=0 AND date_hour<=7)
| dedup CONCATENATE_Z sortby + _time
| chart count AS FLAP by date_hour

Hope it helps,
Regards.

Exclude value based on subsearch

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!