Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Excluding logs with specific keywords from dashboards

kp2
Loves-to-Learn Lots
‎07-12-2023 05:23 AM

Hello, 
I have application which ends specific kind of log. Every log have a jobId field and additional information" returned: 1" or "returned: 0". For one jobId program can return a lot of "returned: 1" and only one "returned: 0" logs. I want to get dashboard for daily count of jobId, but I want to exclude jobId number, when one of logs contain "returned: 1". I write something like that:
$env$ $project$ "jobId" AND NOT "returned: 0" | timechart span=24h dc(jobId)

but this only exclude logs, where is only "returned : 0" for one jobId.

Is there possibility to get this dashboard?

Labels (4)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-12-2023 05:39 AM

If I have understood your requirement, you want a count of jobs which have only ever returned 0 and never returned 1?

If this is the case, how do you set your time frame to ensure the just before your earliest time, a job hasn't just returned 1?

0 Karma
Reply

kp2
Loves-to-Learn Lots
‎07-12-2023 05:50 AM

Yes, I  want a count of jobs which have only ever returned 0 and never returned 1. 
There is no possibility to return 1 and next return 0. There is only case, when I have several jobs with 0 and eventually returned 1 as the last one. So I think, that time frame is unnecessary.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-12-2023 06:04 AM

There is always a timeframe, even if it is "all time" (which even then really means all the events currently indexed i.e. it does not include events which had past the expiry time of their buckets.

If you want jobs which have "never" returned 1 in any event you have available, you may still have to search all your events just in case there is an event for the job with returned 1.

As it stands, your requirement is not precise enough to be able to determine if a solution is possible.

0 Karma
Reply

kp2
Loves-to-Learn Lots
‎07-12-2023 06:38 AM

I know that I must search for "returned 1" but I don't know how to do it. To sum up, I must check if some jobId have "returned 0" and the same jobId not "returned 1". But I don't know how to do it.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-12-2023 08:34 AM

Assuming you have a field called returned that either holds 1 or 0, you could do this

| eventstats values(returned) as returned by jobId
| where mvcount(returned) == 1 AND returned = 0
| timechart span=24h dc(jobId)
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...