Splunk Search

Help with search with multiple NOT IN subqueries

usarios
Engager
The goal is to take all eventIds with "operation failed" and exclude events with "Duplicate key" and "Event processed successfully":

index="idx" "Transaction failed" 
| table eventId
| dedup eventId
| search NOT [search index="idx" "Duplicate key"
             | table eventId ]
| search NOT [search index="idx" "Event processed successfully"
             | table eventId ] 

But for some reason the last NOT subquery doesn't exclude the events which processed successfully:
| search NOT [search index="idx" "Event processed successfully"
             | table eventId ] 
Labels (2)
Tags (2)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @usarios,

let me inderstand there could be eventId with only one message or the same eventId could have different messages in different events?

if the second you could run something like this:

index="idx" ("Transaction failed" OR "Duplicate key" OR "Event processed successfully")
| eval message=case(searchmatch("Transaction failed"),"Transaction failed", searchmatch("Duplicate key"),"Duplicate key",searchmatch("Event processed successfully","Event processed successfully")
| stats dc(message) AS message_count values(message) AS message BY eventId
| where message_count=1 AND message="Transaction failed"
| table eventId

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @usarios,

let me inderstand there could be eventId with only one message or the same eventId could have different messages in different events?

if the second you could run something like this:

index="idx" ("Transaction failed" OR "Duplicate key" OR "Event processed successfully")
| eval message=case(searchmatch("Transaction failed"),"Transaction failed", searchmatch("Duplicate key"),"Duplicate key",searchmatch("Event processed successfully","Event processed successfully")
| stats dc(message) AS message_count values(message) AS message BY eventId
| where message_count=1 AND message="Transaction failed"
| table eventId

Ciao.

Giuseppe

usarios
Engager

Grazie, Giuseppe.

Yes, that works for me!

Ciao

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...