Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you execute a two pattern search where the first pattern host(is a field ) should be ignored on second pattern search?

jeevananm06
New Member
‎09-14-2018 03:38 AM

I was executing my search on a log file.

This is the pattern i want to search ** END ABCD234** hour>00 where this shouldn't be searched on several host(servers).

The host that needs to be ignored can be identified by this pattern "DISABLE" "END" hour>00

Here, hour is a field extracted from timestamp (Example:01:15:38- here 01 was extracted).

Please let me know if more info needed.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎09-14-2018 06:55 AM

It seems like you want to search which has END ABCD234 hour>00 as pattern (event 1) but does not have DISABLE END hour>00 (separate event 2). If that's the case, you can try something like this

index=yourindex sourcetype=yoursourcetype END ABCD234 hour>00 NOT [search index=yourindex sourcetype=yoursourcetype DISABLE END hour>00 | stats count by host | table host ]

The subsearch would exclude all the hosts that have DISABLE END hour>00 events, from the main search result.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎09-14-2018 06:55 AM

It seems like you want to search which has END ABCD234 hour>00 as pattern (event 1) but does not have DISABLE END hour>00 (separate event 2). If that's the case, you can try something like this

index=yourindex sourcetype=yoursourcetype END ABCD234 hour>00 NOT [search index=yourindex sourcetype=yoursourcetype DISABLE END hour>00 | stats count by host | table host ]

The subsearch would exclude all the hosts that have DISABLE END hour>00 events, from the main search result.

0 Karma
Reply
Solved! Jump to solution

jeevananm06
New Member
‎09-17-2018 05:14 AM

Thanks for your help

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎09-17-2018 10:01 AM

@jeevananm06 if your issue is resolved do accept this answer to mark your question as answered!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

jeevananm06
New Member
‎09-19-2018 12:35 AM

Done Thanks for your help

0 Karma
Reply
Solved! Jump to solution

sudosplunk
Motivator
‎09-14-2018 06:30 AM

If "DISABLE" is the keyword that need to be ignored, then specify this before the hour field.

Like, index=idx END NOT "DISABLE" | where hour>00. If this is not what you're looking for, then please provide sample events which has these keywords.

0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎09-14-2018 06:28 AM

looks like do-able task....
yes, more info needed please..

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...