Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to find a log entry that doesn't have a match with another one?

mortya
New Member
‎03-11-2019 04:21 PM

So, I get a bunch of log entries that look something like this (grossly simplified) example:

host1 tag - foo
host1 tag + foo
host1 tag - bar
host1 tag - something
host1 tag + something
host1 tag - evil
host1 tag + blarg
host2 tag - zoinks

I want to find the log entries that have a "- $thing" without a corresponding "+ $thing" in a 24-hour period. So for the above, I want to see "bar evil zoinks".

I can easily write a search to find the "-" entries. But when I try to exclude the ones with a corresponding "+" entry, it gets hairy. The original query already takes a while to run, and I can have thousands of matches. The obvious approach would seem to be a subsearch. But a subsearch seems like it's asking for an N-squared performance. Is there some better way to do this? I would intuitively expect that maybe a join or a selfjoin would help, but I can't figure it out. I'll keep working on this in the meantime.

Thanks!

0 Karma
Reply

mayurr98
Super Champion
‎03-11-2019 05:05 PM

I don't know if this will work or not but you can give it a try.

<fields with dash and name seperated>| table dash name 
| streamstats values(dash) as d by name |stats values(d) as d by name | where NOT d="+"

Also try this : 

<field with dash and name seperated> | table dash name |  transaction name startswith=dash="+" endswith=dash="-" maxevents=2 keepevicted=t | where linecount=1 AND dash="-" AND field_match_sum=1 | table name
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...