Splunk Search

Help with search with multiple NOT IN subqueries

usarios
Engager
The goal is to take all eventIds with "operation failed" and exclude events with "Duplicate key" and "Event processed successfully":

index="idx" "Transaction failed" 
| table eventId
| dedup eventId
| search NOT [search index="idx" "Duplicate key"
             | table eventId ]
| search NOT [search index="idx" "Event processed successfully"
             | table eventId ] 

But for some reason the last NOT subquery doesn't exclude the events which processed successfully:
| search NOT [search index="idx" "Event processed successfully"
             | table eventId ] 
Labels (2)
Tags (2)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @usarios,

let me inderstand there could be eventId with only one message or the same eventId could have different messages in different events?

if the second you could run something like this:

index="idx" ("Transaction failed" OR "Duplicate key" OR "Event processed successfully")
| eval message=case(searchmatch("Transaction failed"),"Transaction failed", searchmatch("Duplicate key"),"Duplicate key",searchmatch("Event processed successfully","Event processed successfully")
| stats dc(message) AS message_count values(message) AS message BY eventId
| where message_count=1 AND message="Transaction failed"
| table eventId

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @usarios,

let me inderstand there could be eventId with only one message or the same eventId could have different messages in different events?

if the second you could run something like this:

index="idx" ("Transaction failed" OR "Duplicate key" OR "Event processed successfully")
| eval message=case(searchmatch("Transaction failed"),"Transaction failed", searchmatch("Duplicate key"),"Duplicate key",searchmatch("Event processed successfully","Event processed successfully")
| stats dc(message) AS message_count values(message) AS message BY eventId
| where message_count=1 AND message="Transaction failed"
| table eventId

Ciao.

Giuseppe

usarios
Engager

Grazie, Giuseppe.

Yes, that works for me!

Ciao

0 Karma
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...