Splunk Search

How to access data in rows of table and then search further using each of those values?

sai_shreyashi_p
New Member

Suppose I have logged data with certain fields like id, level, message etc.
Ex:
id:123
level:warn
Message:xyz task is being performed(msg1)

I need to find all logs which have the above message logged but should not have gone through a log with message 'abc task is being performed'(msg2)
So what I was trying to do was first get all id which have msg1 then use a subsearch to search for each of those ids NOT (msg2) is found. But it isn't working and I even tried:

fields id | map search=" search sourcetype=default_abc id=* NOT "abc task is being performed" " 

Sorry, I am new to this so I might be wrong with understanding a lot of it.

0 Karma
1 Solution

renjith_nair
SplunkTrust
SplunkTrust

@sai_shreyashi_penugo,

Try

Updated as per comments:

 "your other search terms"  "*task is being performed*"
 |eventstats count(eval(searchmatch("msg1"))) as msg1Count,count(eval(searchmatch("msg2"))) as msg2Count by id
 |where msg1Count>0 AND msg2Count < 1

=-=-=-=-=-=-=-=-=-=-=

"your other search terms"  "*task is being performed*" NOT "*msg2"

OR

Extract the message and filter using that

"base search" | rex field=Message "performed\((?<msg>.+)\)"|where msg!="Msg2"
Happy Splunking!

View solution in original post

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@sai_shreyashi_penugo,

Try

Updated as per comments:

 "your other search terms"  "*task is being performed*"
 |eventstats count(eval(searchmatch("msg1"))) as msg1Count,count(eval(searchmatch("msg2"))) as msg2Count by id
 |where msg1Count>0 AND msg2Count < 1

=-=-=-=-=-=-=-=-=-=-=

"your other search terms"  "*task is being performed*" NOT "*msg2"

OR

Extract the message and filter using that

"base search" | rex field=Message "performed\((?<msg>.+)\)"|where msg!="Msg2"
Happy Splunking!
0 Karma

sai_shreyashi_p
New Member

thank you for the reply but this won't help completely in my case. I need to check for each id if it has a log with message 1 and does not have a log with message 2.

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@sai_shreyashi_penugo,
What about

"your other search terms"  "*task is being performed*"
|eventstats count(eval(searchmatch("msg1"))) as msg1Count,count(eval(searchmatch("msg2"))) as msg2Count by id
|where msg1Count>0 AND msg2Count < 1
Happy Splunking!
0 Karma

sai_shreyashi_p
New Member

Thank you so much! This solved it.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...