Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get difference of events between main search and a extracted search

nirmalya2006
Path Finder
‎09-07-2016 04:49 AM

Hi Ninjas

I have a search which returns 1500 events. From that search I have extracted a field (eg FieldX) using a regex which matches with 900 events. From the remaining 600 events, I found that I can extract another field (FieldY) which is same as FieldX and matching another 200 events, but it needs a slight change in the regex. Problem is regex for FieldX is not extracting values for FieldY and vice versa, though, they are the same fields that I need for the 900 + 200 = 1100 events.
So I wrote two separate regex and 2 separate search queries to fetch 1100 events and then do a append to put the all in outputlookup.
Till this, everything is fine.
Now, I want to view the remaining 1500-1100=400 events and see if I can extract any other fields that might be similar to FieldX and FieldY that doesnot satisfy the regex for FieldX and FieldY.
Basically, I want to do something like ((the events returned by main search) minus (events returned by search of FieldX + FieldY))

Is this possible to do?
Can you please suggest how I can do it?

Main Search :

index=idx1 sourcetype=src1 "GET /ajaxClient.aspx"

FieldX Search

index=idx1 sourcetype=src1 "GET /ajaxClient.aspx" 
| table responseTime_1

Regex for FieldX - responseTime_1

(?=[^G]*(?:GET /ajaxClient.aspx|G.*GET /ajaxClient.aspx))^(?:[^=\n]*=){5}\w+\s+\d+\s+\d+\s+\d+\s+(?P<responseTime_1>.+)

FieldY Search

index=idx1 sourcetype=src1 "GET /ajaxClient.aspx"  "&workser="
| table responseTime_2

Regex for FieldY - responseTime_2

(?=[^G]*(?:GET /ajaxClient.aspx|G.*GET /ajaxClient.aspx))^(?:[^\-\n]*\-){7}[a-f0-9]+\s+\d+\s+\d+\s+\d+\s+(?P<responseTime_2>.+)

Thanks

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎09-07-2016 04:58 AM

Try this

index=idx1 sourcetype=src1 "GET /ajaxClient.aspx" | rex "(?=[^G]*(?:GET /ajaxClient.aspx|G.*GET /ajaxClient.aspx))^(?:[^=\n]*=){5}\w+\s+\d+\s+\d+\s+\d+\s+(?P<responseTime_1>.+)" | rex "(?=[^G]*(?:GET /ajaxClient.aspx|G.*GET /ajaxClient.aspx))^(?:[^\-\n]*\-){7}[a-f0-9]+\s+\d+\s+\d+\s+\d+\s+(?P<responseTime_2>.+)" | where isnull(responseTime_1) AND isnull(responseTime_2)

*OR*

index=idx1 sourcetype=src1 "GET /ajaxClient.aspx" | rex "(?=[^G]*(?:GET /ajaxClient.aspx|G.*GET /ajaxClient.aspx))^(?:[^=\n]*=){5}\w+\s+\d+\s+\d+\s+\d+\s+(?P<responseTime_1>.+)" | rex "(?=[^G]*(?:GET /ajaxClient.aspx|G.*GET /ajaxClient.aspx))^(?:[^\-\n]*\-){7}[a-f0-9]+\s+\d+\s+\d+\s+\d+\s+(?P<responseTime_2>.+)" | eval resp_time=coalesce(responseTime_1,  responseTime_2) | where isnull(resp_time)

OR if possible, share your raw events, and someone may be able to comeup with a regex that matches both conditions.

View solution in original post

Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎09-07-2016 04:58 AM

Try this

index=idx1 sourcetype=src1 "GET /ajaxClient.aspx" | rex "(?=[^G]*(?:GET /ajaxClient.aspx|G.*GET /ajaxClient.aspx))^(?:[^=\n]*=){5}\w+\s+\d+\s+\d+\s+\d+\s+(?P<responseTime_1>.+)" | rex "(?=[^G]*(?:GET /ajaxClient.aspx|G.*GET /ajaxClient.aspx))^(?:[^\-\n]*\-){7}[a-f0-9]+\s+\d+\s+\d+\s+\d+\s+(?P<responseTime_2>.+)" | where isnull(responseTime_1) AND isnull(responseTime_2)

*OR*

index=idx1 sourcetype=src1 "GET /ajaxClient.aspx" | rex "(?=[^G]*(?:GET /ajaxClient.aspx|G.*GET /ajaxClient.aspx))^(?:[^=\n]*=){5}\w+\s+\d+\s+\d+\s+\d+\s+(?P<responseTime_1>.+)" | rex "(?=[^G]*(?:GET /ajaxClient.aspx|G.*GET /ajaxClient.aspx))^(?:[^\-\n]*\-){7}[a-f0-9]+\s+\d+\s+\d+\s+\d+\s+(?P<responseTime_2>.+)" | eval resp_time=coalesce(responseTime_1,  responseTime_2) | where isnull(resp_time)

OR if possible, share your raw events, and someone may be able to comeup with a regex that matches both conditions.

Reply
Solved! Jump to solution

nirmalya2006
Path Finder
‎09-07-2016 08:30 AM

Thank you very much @sundareshr
Though this did not answer my query it helped me figure out a query that gave me the non matching events.

index=index sourcetype=source "GET /ajaxClient.aspx"
| fillnull responseTime_1 value=null
| fillnull responseTime_2 value=null
| search responseTime_1 = null AND responseTime_2 = null

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...