Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to exclude certain wildcard matches from the search

franjo
Explorer
‎09-19-2019 03:42 PM

I need to search for *exception in our logs (e.g. "NullPointerException") but want to exclude certain matches (e.g. "DefaultException"). If my search is 

*exception NOT DefaultException

then it works fine, except for the cases where I have both "NullPointerException" and "DefaultException" values in the text.
How do I create a search that will ignore records with "DefaultException" only, but not ignore them if there are other "*exception" present?

Here is an example: I want to ignore line1, but get (in search results) lines 2 and 3. With my search above I'm only getting line3:

1. line1: some DefaultException happened
2. line2: some NullPointerException happened together with DefaultException
3. line3: another NullPointerException happened

Thanks!
Franjo.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

morethanyell
Builder
‎09-25-2019 12:34 AM

Say you have these raw logs (as you mentioned above)

| makeresults
| eval sample_raw = "some DefaultException happened,some NullPointerException happened together with DefaultException,another NullPointerException happened"
| makemv delim="," sample_raw
| mvexpand sample_raw

alt text

The important thing to consider here is to count the occurence of "Exception" in your raw log. In order to do that, we need to capture the exceptions as multivalue field like this (or by adding this line of rex)

| rex field=sample_raw max_match=0 "(?<exception_type>[\w]+)Exception"

As a result, it will create an MV field containing all the Exceptions like this:
alt text

From here, you can just easily filter out the ones you don't like using the | where command:

| where mvcount(exception_type) > 1 OR exception_type != "Default"

I think this is just one approach. There might be better ways to do it.

View solution in original post

Reply
Solved! Jump to solution
Solution

morethanyell
Builder
‎09-25-2019 12:34 AM

Say you have these raw logs (as you mentioned above)

| makeresults
| eval sample_raw = "some DefaultException happened,some NullPointerException happened together with DefaultException,another NullPointerException happened"
| makemv delim="," sample_raw
| mvexpand sample_raw

alt text

The important thing to consider here is to count the occurence of "Exception" in your raw log. In order to do that, we need to capture the exceptions as multivalue field like this (or by adding this line of rex)

| rex field=sample_raw max_match=0 "(?<exception_type>[\w]+)Exception"

As a result, it will create an MV field containing all the Exceptions like this:
alt text

From here, you can just easily filter out the ones you don't like using the | where command:

| where mvcount(exception_type) > 1 OR exception_type != "Default"

I think this is just one approach. There might be better ways to do it.

Reply
Solved! Jump to solution

franjo
Explorer
‎09-25-2019 02:01 PM

mvCount > 1 was not always good, but if I use this then I get what I want:

where mvcount(mvfilter(exception_type != "Default")) > 0

Reply
Solved! Jump to solution

morethanyell
Builder
‎09-25-2019 03:13 PM

That is a lot better

0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎09-20-2019 02:20 AM

your search .... NOT "DefaultException" ....

0 Karma
Reply
Solved! Jump to solution

franjo
Explorer
‎09-23-2019 09:51 AM

how is this different from " *exception NOT DefaultException " that I already mentioned in the question?

0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎09-23-2019 10:26 AM

looks like i misunderstood your question, can you elaborate on the requirement: "How do I create a search that will ignore records with "DefaultException" only, but not ignore them if there are other "*exception" present?"
can you provide some sample data?

0 Karma
Reply
Solved! Jump to solution

franjo
Explorer
‎09-23-2019 10:31 AM

Sure, here are 3 examples. I want to ignore line1, but get (in search results) lines 2 and 3. With my initial query (and your proposal) I'm only getting line3:

  1. line1: some DefaultException happened
  2. line2: some NullPointerException happened together with DefaultException
  3. line3: another NullPointerException happened
0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎09-24-2019 07:04 PM

can you provide a larger masked data set? also can you provide the final result you are interested in with the format? chart / table / etc ...

0 Karma
Reply
Solved! Jump to solution

rupesh26
Path Finder
‎09-19-2019 09:26 PM

do you want to ignore events where both "NullPointerException" and "DefaultException" values present as well ?

0 Karma
Reply
Solved! Jump to solution

franjo
Explorer
‎09-23-2019 09:51 AM

No, I want to always see (get in results) my "NullPointerException". I just don't want to see the entries where only "DefaultExceptions" is present (and no other one).

0 Karma
Reply
Solved! Jump to solution

rupesh26
Path Finder
‎09-24-2019 10:51 PM

when you do a wildcard search you are searching the entire event, so it will ignore even this event

some NullPointerException happened together with DefaultException

The best way to do is use field extraction and extract NullPointerException to a field and add that field to your search

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...