Splunk Search

How to get events that do not contain a particular string or a pattern?

bkumarm
Contributor

I have events coming in the below format
"2018:04:04:11:19:59.926 testhostname 3:INFO TEST:NOTE FLAG 1234567894567890 praimaryflag:secondflag:action:debug message can be exception : There was a this ERROR occured "

and there are events that have different messages too such as :

2018:04:04:11:19:59.926 testhostname 3:INFO TEST:NOTE FLAG 1234567891267895 praimaryflag:secondflag:action:debug message can be exception : There was something else
2018:04:04:11:19:59.926 testhostname 3:INFO TEST:NOTE FLAG 12345686794567891 praimaryflag:secondflag:action:debug message can be exception : Just a debug log no worries
2018:04:04:11:19:59.926 testhostname 3:INFO TEST:NOTE FLAG 1234567894567819 praimaryflag:secondflag:action:debug message can be exception : There was a different ERROR

I want to extract all events that do not contain

Case 1. " debug message can be exception : There was a this ERROR occured"
Case 2. " There was a this ERROR occured"

Need help getting the right search query or rex for this.

1 Solution

DalJeanis
SplunkTrust
SplunkTrust

SInce every record that matches the second also matches the first, your REGEX is very simple

"There was a this ERROR occured"

This line as the first line after the initial search will eliminate all the matches...

| regex _raw!="There was a this ERROR occured"

If there was a specific other wording where "a this" is in that message, then you need to give us the exact wording.

View solution in original post

DalJeanis
SplunkTrust
SplunkTrust

SInce every record that matches the second also matches the first, your REGEX is very simple

"There was a this ERROR occured"

This line as the first line after the initial search will eliminate all the matches...

| regex _raw!="There was a this ERROR occured"

If there was a specific other wording where "a this" is in that message, then you need to give us the exact wording.

bkumarm
Contributor

@DalJeanis what I need is to filter all events that DO NOT have the string "There was a this ERROR occured " exact match. And then I will need to extract fields from those events to generate reports.

0 Karma

bkumarm
Contributor

Finally I got this working. Figured out that the solution did not work earlier because of a line breaking issue at transforms.
Thanks for all your time.
I am accepting this answer

0 Karma

niketn
Legend

@bkumar, if you know the pattern of data to be excluded and not sure of pattern of data to be included, you can create regex based re-routing of unwanted data to a different sourcetype so that only required events are indexed with existing sourcetype. Refer to the Splunk Documentation for sourcetype re-routing: http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Filter_and_route_e...

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

bkumarm
Contributor

@niketnilay , in the current case, I do not have access to backend to configure transforms. I have been provided access to an index that has these events . I need to use regex or search to filter/extract required fields.

0 Karma

niketn
Legend

For us to assist you better you will have to provide concrete distinction between events to be selected and that to be filtered.Following seems to be present on all the events (whether you need them or not): "action:debug message can be exception : "

So, we can not provide you exact filter as the samples you have provided have some generic messages after the matched pattern. Regular expression/Filter Criteria has to be based on these messages only so generic message will not be useful for us to assist.

You can definitely look for @DalJeanis 's approach of using NOT or != depending on your use case.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

bkumarm
Contributor

The first part does not matter, I want to filter all events that contain
" There was a this ERROR occurred" .
I did try @DalJeanis approach, couldn't get a complete solution though.

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

So what was the exact thing that didn't work in Dal's approach?

0 Karma

bkumarm
Contributor

already answered ... it was a small fix that was required in transforms

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...