Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Getting a record which does not have a particular event

JJ_singh
New Member
‎09-14-2020 06:25 PM

Hi,

I am trying to filter out unique request which does have a particular event. For instance, each request can go through following events

1. receive

2. process

3. publish

we publish all events for every requests in splunk. I am trying to write a query to find all the uniq request ( let's say represented by requestId) which does not have a "publish" event.

 

How can I achieve it?  I have tried using`NOT` but that just ignore the event, In fact I want to eval. Any suugestions?

Labels (2)
Labels
0 Karma
Reply

renjith_nair
Legend
‎09-14-2020 07:00 PM

If there a field to distinguish the type of event say event_type,

""your search"|stats values(event_type) as event_types by requestId
|where isnull(mvfind(event_types,"publish"))

 

Try without the where clause to see how your events are grouped.

You may add additional fields to the stats or replace stats with eventstats

Happy Splunking!
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...