Splunk Search

How to grep filter search results with does not equal

tbalouch
Path Finder

Hi Guys,

I want to filter a virus scan log on my nix systems but having and issue creating the alert for the search. I only want it to send the alert if the search does not match 0, which means there was a virus detected. This is what I have so far:

source="/var/log/uvscan.log" | search Possibly Infected:............. 0

How can I change this search to be only show results that don't match search Possibly Infected:............. 0?

0 Karma
1 Solution

Ayn
Legend

It sounds to me like you should take the search tutorial, especially parts 4 and 5 which cover searching. http://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/WelcometotheSearchTutorial

The direct answer to your question is: put a NOT before your search statement. But I see more issues with your search.

First of all, you're telling Splunk to first grab ALL events from the data with source "/var/log/uvscan.log" and THEN start filtering. This is inefficient - while it may work OK with small files, it'll become a performance nightmare with large ones, as Splunk needs to read all those events off disk even though you're only interested in a fraction of them. You should put as much filtering as possible in your base search instead.

Also while you certainly can search for events which do not have the specific string "Possibly Infected:............ 0" a better approach would be to create a field extraction instead, so you can do something like "NOT Possibly_Infected=0".

All in all, the rewritten search with these suggested changes would look something like this:

source="/var/log/uvscan.log" NOT Possibly_Infected=0

Or, if you still don't want to extract the field for some reason, just

source="/var/log/uvscan.log" NOT "Possibly Infected:............. 0"

View solution in original post

Ayn
Legend

It sounds to me like you should take the search tutorial, especially parts 4 and 5 which cover searching. http://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/WelcometotheSearchTutorial

The direct answer to your question is: put a NOT before your search statement. But I see more issues with your search.

First of all, you're telling Splunk to first grab ALL events from the data with source "/var/log/uvscan.log" and THEN start filtering. This is inefficient - while it may work OK with small files, it'll become a performance nightmare with large ones, as Splunk needs to read all those events off disk even though you're only interested in a fraction of them. You should put as much filtering as possible in your base search instead.

Also while you certainly can search for events which do not have the specific string "Possibly Infected:............ 0" a better approach would be to create a field extraction instead, so you can do something like "NOT Possibly_Infected=0".

All in all, the rewritten search with these suggested changes would look something like this:

source="/var/log/uvscan.log" NOT Possibly_Infected=0

Or, if you still don't want to extract the field for some reason, just

source="/var/log/uvscan.log" NOT "Possibly Infected:............. 0"

tbalouch
Path Finder

Thanks this was helpful!

0 Karma

bbiandov
Path Finder

I figured this and it worked for me: host OP AND eventtype=cisco_ios | search 3C:00:E6:01:8D:02

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...