Splunk Search

How to exclude two grouping of results in query?

noob4now
New Member

Hello, this is my first forum entry and I'm really hoping this question is clear. Currently, my timechart results are grouping together multiple values of the same circuit ID which pollutes the results. The circuits are broken up into parts on our SONET network, but when they alarm, the 12-part circuit tends to block results from graphing as this circuit dominates the visible fields. So I want to remove all the parts that are not labeled "_0001" or "_1of". I'm currently setting my search to use the NOT string multiple times. The labels mentioned above have text in front and behind, but the statements I include are unique.

index=silvx SilvxManagerAlarmObject{}.TrapInfo{}.DisplayName=*O_AISR* AND SilvxManagerAlarmObject{}.TrapInfo{}.DisplayName!=6* NOT SilvxManagerAlarmObject{}.TrapInfo{}.DisplayName=*_0002* (.... same NOT command repeated all the way down to *_0012*) NOT SilvxManagerAlarmObject{}.TrapInfo{}.DisplayName=*_2of* (.... same NOT command repeated all the way down to *_12of*) | timechart count by SilvxManagerAlarmObject{}.TrapInfo{}.DisplayName usenull=false useother=false

I have no control on how these circuits are named, so I figured I could just exclude the unnecessary pieces, but it makes my query very long. Hoping there is a Boolean function or similar that could take care of this. Thanks!

Tags (1)
0 Karma

noob4now
New Member

@somesoni2 : Line 3 --> I added this to the query and at first it appeared to be working but when I replaced the O_AISR string with an actual multi-part circuit, the results are showing every _0001 section all the way up to _0021. I'm not at all understanding how your query is working, but it appears it's trying to replace 0000 with the mvexpand n string, but isn't identifying the circuit sections properly.

Here's how an example of a multi-part circuit per the SilvxManagerAlarmObject{}.TrapInfo{}.DisplayName log string:
765A_O_AISR-1_U_B_0001
765A_O_AISR-1_U_B_0002 ... ... ...
765A_O_AISR-1_U_B_0009 ... ... ...
.... 0010
.... 0011
etc all down to however many parts. Some stop at _0012 while others I've seen go high as _0021. The commonality that the majority possess is the final numerical part but I have seen some that are represented via the _1of1 ... ... ... _1of21 strings. These aren't nearly as common as the numeric values, but are present and also offer Splunk results pollution.

0 Karma

somesoni2
Revered Legend

I would suggest to run the subsearch separately to see what result it produces. Whatever it produces is added as filter in the main search.

| makeresults | eval n=mvrange(2,13) | table n | mvexpand n | eval "SilvxManagerAlarmObject{}.TrapInfo{}.DisplayName"="*_".replace("0000".n,"(\d{4})$", "\1*") | fields - n | format "" "" "" "OR" "" ""

It basically generates a long list of OR conditions where sequence is managed by number specified in the mvrange command (goes from 2 to 13-1=12, update the numbers per your need). The replace command actually pads zero to the number portion.

What your current query with actual OAISR string?

0 Karma

noob4now
New Member

Thanks somesoni2. I see that you're re-iterating your previous search filter, but after I placed it in line with my query, the same results are occurring. This search is specific to a single circuit ID. Below is the query.

index=SILVX | search "765A*O_AISR NOT [| makeresults | eval n=mvrange(2,13) | table n | mvexpand n | eval "SilvxManagerAlarmObject{}.TrapInfo{}.DisplayName"="_".replace("0000".n,"(\d{4})$", "\1") | fields - n | format "" "" "" "OR" "" ""] | timechart count by SilvxManagerAlarmObject{}.TrapInfo{}.DisplayName

Here's a perfect copy of the returned circuit ID:
765A__O_AISR-2_U_B_0001
as seen here, the circuit IDs are identical up to the final string. Some go as high as _0021. All of these are returned in the query above. There is a * in front of my circuit ID above because for unknown reasons, some return with a device PathID-x-x-x initial wording, but should not matter based on the NOT filter constraints above since it is targeting the _0001 ... numbered portion. I hope this helps! Thanks!

0 Karma

somesoni2
Revered Legend

So going by your remark So I want to remove all the parts that are not labeled "_0001" or "_1of", I would try this first

index=silvx 
SilvxManagerAlarmObject{}.TrapInfo{}.DisplayName=*O_AISR* AND SilvxManagerAlarmObject{}.TrapInfo{}.DisplayName!=6*
SilvxManagerAlarmObject{}.TrapInfo{}.DisplayName="*_0001*" OR SilvxManagerAlarmObject{}.TrapInfo{}.DisplayName="*_1of*"
| timechart count by SilvxManagerAlarmObject{}.TrapInfo{}.DisplayName usenull=false useother=false

second, Give this a try

index=silvx 
SilvxManagerAlarmObject{}.TrapInfo{}.DisplayName=*O_AISR* AND SilvxManagerAlarmObject{}.TrapInfo{}.DisplayName!=6*
NOT [| makeresults | eval n=mvrange(2,13) | table n | mvexpand n | eval "SilvxManagerAlarmObject{}.TrapInfo{}.DisplayName"="*_".replace("0000".n,"(\d{4})$", "\1*") | fields - n | format "" "" "" "OR" "" ""]
NOT  [| makeresults | eval n=mvrange(2,13) | table n | mvexpand n | eval "SilvxManagerAlarmObject{}.TrapInfo{}.DisplayName"="*_".n,"of*" | fields - n | format "" "" "" "OR" "" ""]
| timechart count by SilvxManagerAlarmObject{}.TrapInfo{}.DisplayName usenull=false useother=false
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...