Splunk Search

How to get events that do not contain a particular string or a pattern?

bkumarm
Contributor

I have events coming in the below format
"2018:04:04:11:19:59.926 testhostname 3:INFO TEST:NOTE FLAG 1234567894567890 praimaryflag:secondflag:action:debug message can be exception : There was a this ERROR occured "

and there are events that have different messages too such as :

2018:04:04:11:19:59.926 testhostname 3:INFO TEST:NOTE FLAG 1234567891267895 praimaryflag:secondflag:action:debug message can be exception : There was something else
2018:04:04:11:19:59.926 testhostname 3:INFO TEST:NOTE FLAG 12345686794567891 praimaryflag:secondflag:action:debug message can be exception : Just a debug log no worries
2018:04:04:11:19:59.926 testhostname 3:INFO TEST:NOTE FLAG 1234567894567819 praimaryflag:secondflag:action:debug message can be exception : There was a different ERROR

I want to extract all events that do not contain

Case 1. " debug message can be exception : There was a this ERROR occured"
Case 2. " There was a this ERROR occured"

Need help getting the right search query or rex for this.

1 Solution

DalJeanis
SplunkTrust
SplunkTrust

SInce every record that matches the second also matches the first, your REGEX is very simple

"There was a this ERROR occured"

This line as the first line after the initial search will eliminate all the matches...

| regex _raw!="There was a this ERROR occured"

If there was a specific other wording where "a this" is in that message, then you need to give us the exact wording.

View solution in original post

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

SInce every record that matches the second also matches the first, your REGEX is very simple

"There was a this ERROR occured"

This line as the first line after the initial search will eliminate all the matches...

| regex _raw!="There was a this ERROR occured"

If there was a specific other wording where "a this" is in that message, then you need to give us the exact wording.

View solution in original post

0 Karma

bkumarm
Contributor

@DalJeanis what I need is to filter all events that DO NOT have the string "There was a this ERROR occured " exact match. And then I will need to extract fields from those events to generate reports.

0 Karma

bkumarm
Contributor

Finally I got this working. Figured out that the solution did not work earlier because of a line breaking issue at transforms.
Thanks for all your time.
I am accepting this answer

0 Karma

niketnilay
Legend

@bkumar, if you know the pattern of data to be excluded and not sure of pattern of data to be included, you can create regex based re-routing of unwanted data to a different sourcetype so that only required events are indexed with existing sourcetype. Refer to the Splunk Documentation for sourcetype re-routing: http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Filter_and_route_e...

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

bkumarm
Contributor

@niketnilay , in the current case, I do not have access to backend to configure transforms. I have been provided access to an index that has these events . I need to use regex or search to filter/extract required fields.

0 Karma

niketnilay
Legend

For us to assist you better you will have to provide concrete distinction between events to be selected and that to be filtered.Following seems to be present on all the events (whether you need them or not): "action:debug message can be exception : "

So, we can not provide you exact filter as the samples you have provided have some generic messages after the matched pattern. Regular expression/Filter Criteria has to be based on these messages only so generic message will not be useful for us to assist.

You can definitely look for @DalJeanis 's approach of using NOT or != depending on your use case.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

bkumarm
Contributor

The first part does not matter, I want to filter all events that contain
" There was a this ERROR occurred" .
I did try @DalJeanis approach, couldn't get a complete solution though.

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

So what was the exact thing that didn't work in Dal's approach?

0 Karma

bkumarm
Contributor

already answered ... it was a small fix that was required in transforms

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!