Splunk Search
Highlighted

Re: How to search for hosts with an issue where a type of event was not followed by another type within an hour?

SplunkTrust
SplunkTrust

I hope you're saying you want to INCLUDE events where final "Action Taken" is "Partly Remove" OR "Unkonwn", so try this one.

your base search | transaction maxspan=60m startswith="ActionTaken=None" keeporphans=t  | where isnull(mvfind(ActionTaken,"removed")) OR isnull(mvfind(ActionTaken,"blocked"))

Basically add all the ActionTaken your want to exclude in the where clause

0 Karma
Highlighted

Re: How to search for hosts with an issue where a type of event was not followed by another type within an hour?

Explorer

Error in 'where' command: The arguments to the 'isnull' function are invalid.

0 Karma
Highlighted

Re: How to search for hosts with an issue where a type of event was not followed by another type within an hour?

Explorer

Hello there

can you please check if there is something wrong in the syntax

0 Karma
Highlighted

Re: How to search for hosts with an issue where a type of event was not followed by another type within an hour?

SplunkTrust
SplunkTrust

I updated the query. Please check back.

0 Karma
Highlighted

Re: How to search for hosts with an issue where a type of event was not followed by another type within an hour?

Community Manager
Community Manager

Hi @shellnight

@somesoni2 updated the query. can you confirm whether or not this worked for you?

0 Karma