Splunk Search

How to exclude two event types when together?

yoshileigh66
Explorer

I have noticed that the event_ids that I cannot find documentation for are associated with two eventtypes together. However,  individually, those eventtypes are also associated with other event_ids. 

How do I exclude the two eventtypes from the search only when they are both associated with an event_id? 

I tried eventtype != "xxx" AND eventtype!="yyy" but that doesn't group both of the eventtypes together, if that makes sense. So each event_id associated with "xxx" is excluded from the search, which is not the result I need. 

0 Karma

woodcock
Esteemed Legend

This is a basic boolean logic error.  Try this:

... NOT (eventtype="xxx" AND eventtype="yyy")

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Is eventtype a multivalue field in your events? If not, you can make it so (before applying @woodcock 's logic)

| eventstats values(eventtype) as eventtypes by event_id
| where NOT (eventtypes=="xxx" AND eventtypes=="yyy")

Note that the collection of eventtypes are put in a new field so that the original eventtype for the event is preserved

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...