Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to find a log entry that doesn't have a match with another one?

mortya
New Member
‎03-11-2019 04:21 PM

So, I get a bunch of log entries that look something like this (grossly simplified) example:

host1 tag - foo
host1 tag + foo
host1 tag - bar
host1 tag - something
host1 tag + something
host1 tag - evil
host1 tag + blarg
host2 tag - zoinks

I want to find the log entries that have a "- $thing" without a corresponding "+ $thing" in a 24-hour period. So for the above, I want to see "bar evil zoinks".

I can easily write a search to find the "-" entries. But when I try to exclude the ones with a corresponding "+" entry, it gets hairy. The original query already takes a while to run, and I can have thousands of matches. The obvious approach would seem to be a subsearch. But a subsearch seems like it's asking for an N-squared performance. Is there some better way to do this? I would intuitively expect that maybe a join or a selfjoin would help, but I can't figure it out. I'll keep working on this in the meantime.

Thanks!

0 Karma
Reply

mayurr98
Super Champion
‎03-11-2019 05:05 PM

I don't know if this will work or not but you can give it a try.

<fields with dash and name seperated>| table dash name 
| streamstats values(dash) as d by name |stats values(d) as d by name | where NOT d="+"

Also try this : 

<field with dash and name seperated> | table dash name |  transaction name startswith=dash="+" endswith=dash="-" maxevents=2 keepevicted=t | where linecount=1 AND dash="-" AND field_match_sum=1 | table name
0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...