Solved: How do I find transaction that does not contain an...

vgodavarty0116 · ‎06-14-2021

Hi I have a log like below.

x INFO id=abc123 Started Processing
x+1 INFO id=abc123 Ended Processing
x+2 INFO id=abc123 Notification Sent
x+3 INFO id=def456 Started Processing
x+4 INFO id=def456 Ended Processing

Now I want to find for which ids notifications are not sent ( a result in a table format something like this)

id Notification sent
abc123 yes
def456 no

I tried using "NOT" clause but unable to figure out the query to get the desired results. Can anyone please help me to figure out the query?!

venkatasri · ‎06-14-2021

Hi @vgodavarty0116

You can try this,

index=yout_index sourcetype=your_stype
| rex "id=\S+\s+(?<process_stage>[\w\s\d]+)" 
| stats values(process_stage) as vals by id 
| eval notification=if(mvcount(vals) == 3 AND match(vals,"Notification"), "Yes", "No") 
| table id notification

------

An upvote would be appreciated if it helps!

View solution in original post

venkatasri · ‎06-14-2021

Hi @vgodavarty0116

You can try this,

index=yout_index sourcetype=your_stype
| rex "id=\S+\s+(?<process_stage>[\w\s\d]+)" 
| stats values(process_stage) as vals by id 
| eval notification=if(mvcount(vals) == 3 AND match(vals,"Notification"), "Yes", "No") 
| table id notification

------

An upvote would be appreciated if it helps!

How do I find transaction that does not contain an event?

eval

join

subsearch

transaction

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life