Getting a record which does not have a particular ...

JJ_singh · ‎09-14-2020

Hi,

I am trying to filter out unique request which does have a particular event. For instance, each request can go through following events

1. receive

2. process

3. publish

we publish all events for every requests in splunk. I am trying to write a query to find all the uniq request ( let's say represented by requestId) which does not have a "publish" event.

How can I achieve it? I have tried using`NOT` but that just ignore the event, In fact I want to eval. Any suugestions?

renjith_nair · ‎09-14-2020

If there a field to distinguish the type of event say event_type,

""your search"|stats values(event_type) as event_types by requestId
|where isnull(mvfind(event_types,"publish"))

Try without the where clause to see how your events are grouped.

You may add additional fields to the stats or replace stats with eventstats

---
What goes around comes around. If it helps, hit it with Karma 🙂

Getting a record which does not have a particular event

eval

regex

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation