Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How do I filter field values not present in the successful events in the super search

rafiqul
New Member
‎04-11-2019 01:22 PM

I wanted to extract MAC address from events that were never succeeded within a time boundary. I am dealing with events having both SUCCESS and FAILURES for the same MAC address. I want to exclude those MAC address, and only to find those were failed only. I have Device_Mac field filtered from sub search which returns 1000s of MAC address. I then wanted to run each of these MAC address in the main search and filter out those mac address found in the successful events. I was using NOT Device_Mac="*" to filter those mac address, but it's not returning anything in the result. Can you please help how to exclude those MAC address from the main search results, and find the MAC address that were never succeeded within the time boundary ? I will eventually use the extracted MAC address to run in another super search with latest="04/10/2019:00:00:00" (which is not shown in my following search). Any better search you can recommend ? Thanks for your help.

Here is my search:

index=blah sourcetype=blahblah success earliest="04/10/2019:00:00:00" NOT Device_Mac="*" | search [search index=blah sourcetype=blahblah "500 Internal Error" earliest="04/10/2019:00:00:00" | stats count by Device_Mac | table Device_Mac ] | stats count by Device_Mac

0 Karma
Reply

grittonc
Contributor
‎04-12-2019 08:51 AM

I think you could create two new fields, one to indicate whether an event is a failure, and one to indicate whether it is a success. Then you can count both of those columns and eliminate the MAC addresses that only had failures.

index=blah sourcetype=blahblah earliest="04/10/2019:00:00:00"
| eval failure=if(match(_raw,".*500 Internal Error.*"), 1, 0), success=if(failure=1, 0, 1)
| stats sum(failure) as failure, sum(success) as success by Device_Mac 
| search failure>0 AND success =0

This also eliminates the potential problem of your results exceeding subsearch limits.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...