Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to filter logs with different and same fields?

nmayafit
Path Finder
‎03-21-2023 02:59 PM

Hi. Subject is confusing so here goes. I have 3 log lines:

org=A Status=Success

org=A Status=Fail

org=B Status=Success

 

I would like to get stats for orgs that have Status=Success, but not if those orgs have even one log where Status=Fail.

I tried to filter in the search query (but then, I get the line where org=A Status=Success) and in a WHERE clause, with no luck. I'm trying to find the right method to do this kind of filtering.

 

Thanks!

Labels (1)
Labels
Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-22-2023 01:01 AM 
| stats values(Status) as Status by org
| where NOT Status="Fail"
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-21-2023 03:10 PM

I assume these are three separate events.  You can't filter one event based on value of another event. If you want just a summary of your orgs do something like that

<your base search>
| stats values(Status) by org
| where NOT Status="Fail"

If you want full events use eventstats instead of stats but be aware that eventstats is limited by resource constraints so may not work well on big datasets.

0 Karma
Reply

nmayafit
Path Finder
‎03-22-2023 12:17 AM

Thanks.

I tried that already, but it still shows the results in the stats.

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-22-2023 01:18 AM

That's why I said - if you're ok with just the aggregation, use simple stats command. If you want to retain the original events, use eventstats (with the same syntax). Just be warned about the possible performance issues.

0 Karma
Reply

nmayafit
Path Finder
‎03-22-2023 01:33 AM

I don't need the original events, so I use stats, but it still shows as a line with this values

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-22-2023 01:50 AM

Right. Forgot to rename the resulting field with stats. See @ITWhisperer 's answer. It is conceptually the same as mine, it's just that he didn't forget to alias the field 🙂 His solution should work. Mine should also work if you replaced the where condition with:

| where NOT 'values(Status)'="Fail"
0 Karma
Reply

nmayafit
Path Finder
‎03-22-2023 01:53 AM

I tried his and yours with no luck. Lines with the specific attributes still show.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-22-2023 02:02 AM

It seems like the information you have provided isn't sufficiently accurate for our suggested solutions to work. Please share more accurate representations of your raw events, preferably in a code block </> to prevent information being lost due to formatting.

0 Karma
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

&#x1f5e3; You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...