- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Exclude value based on subsearch
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I want to exclude some values if that have the field SPAN_LOSS_MAX=50 between midnight to 7 a.m.
This is my approach:
index="flap" DELTA_SPAN>=3 | search NOT
[search index="flap" SPAN_LOSS_MAX=50 | dedup CONCATENATE_Z sortby +_time
|eval Hour=strftime(_time,"%H")
|where Hour>=00 AND Hour<=7
|stats count by Hour]
|dedup CONCATENATE_Z sortby +_time
| eval Hour=strftime(_time,"%H")
| chart count as FLAP by Hour
But this search returns also values that are in the subsearch.
Any Ideas?
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why not just do this
index="flap" DELTA_SPAN>=3 |eval Hour=tonumber(strftime(_time,"%H") )
| where NOT (SPAN_LOSS_MAX=50 AND Hour>=0 AND Hour<7)
|dedup CONCATENATE_Z sortby +_time
| eval Hour=strftime(_time,"%H")
| chart count as FLAP by Hour
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why not just do this
index="flap" DELTA_SPAN>=3 |eval Hour=tonumber(strftime(_time,"%H") )
| where NOT (SPAN_LOSS_MAX=50 AND Hour>=0 AND Hour<7)
|dedup CONCATENATE_Z sortby +_time
| eval Hour=strftime(_time,"%H")
| chart count as FLAP by Hour
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks it works! Just a question:
if I want to exclude also 11 p.m.?
I tried | where NOT (SPAN_LOSS_MAX=50 AND Hour>=0 AND Hour<7 AND Hour !=23 ) but it didn't work.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
...| where NOT (SPAN_LOSS_MAX=50 AND Hour>=23 AND Hour<7)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've already tried but it didn't work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
NOT (SPAN_LOSS_MAX=50 AND ((Hour>=0 AND Hour<7) OR Hour=23))
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you! It works!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello ngerosa,
There is already a default hour extraction called date_hour.. if you don't have it, I will recommend building the extraction yourself to be able to filter since search command.
index="flap" DELTA_SPAN>=3 NOT NOT (SPAN_LOSS_MAX=50 AND date_hour>=0 AND date_hour<=7)
| dedup CONCATENATE_Z sortby + _time
| chart count AS FLAP by date_hour
Hope it helps,
Regards.
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
