Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to search new values for a field (exception) i...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=dotcom source=*system* *exception* earliest = -7d NOT [search index=dotcom source=*system* *exception* earliest = -20d | return 10000 exception] | dedup exception | table exception
I am trying the above search, but it is not giving me the right results.
For example, consider this scenario:
From April 1st to April 15th i got the following values of field exception:
- A
- B
- C
- D
Now From April 16th to April 23 i got the following values :-
- A
- B
- X
- Y
In my search result i want values of field exception which were present in the last 7 days (i.e 16th to 23rd) but not prior to that. So the result should give me
- X
- Y
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=dotcom source=system exception earliest = -30d latest=now |
stats earliest(_time) as FirstOccurence by exception |
fieldformat FirstOccurence = strftime(FirstOccurence,"%d/%m/%y %H:%M:%S") |
eval SevenDaysBack = relative_time(now(), "-7d@d" ) |
fieldformat SevenDaysBack = strftime(SevenDaysBack ,"%d/%m/%y %H:%M:%S")|
Table FirstOccurence exception SevenDaysBack | where FirstOccurence > SevenDaysBack
Logic :-
First i found the First occurence of each Exception In the last one month. Example
- NullPointerException On 01/04/2015
- ObjectNotFoundException On 11/4/2015
- NoSuchElementException On 22/4/2015
- StaplesIGFormattingException On 23/4/2015
Now, out of these results i select only those whose First Occernce was within last one week.
So i get :-
- NoSuchElementException On 22/4/2015
- StaplesIGFormattingException On 23/4/2015
It is giving me right results.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=dotcom source=system exception earliest = -30d latest=now |
stats earliest(_time) as FirstOccurence by exception |
fieldformat FirstOccurence = strftime(FirstOccurence,"%d/%m/%y %H:%M:%S") |
eval SevenDaysBack = relative_time(now(), "-7d@d" ) |
fieldformat SevenDaysBack = strftime(SevenDaysBack ,"%d/%m/%y %H:%M:%S")|
Table FirstOccurence exception SevenDaysBack | where FirstOccurence > SevenDaysBack
Logic :-
First i found the First occurence of each Exception In the last one month. Example
- NullPointerException On 01/04/2015
- ObjectNotFoundException On 11/4/2015
- NoSuchElementException On 22/4/2015
- StaplesIGFormattingException On 23/4/2015
Now, out of these results i select only those whose First Occernce was within last one week.
So i get :-
- NoSuchElementException On 22/4/2015
- StaplesIGFormattingException On 23/4/2015
It is giving me right results.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try this :
index=dotcom source=system exception earliest = -23d latest=now NOT [search index=dotcom source=system exception earliest = -23d latest= -7d |eval exception2=exception ] |eval exception=if(exception != exception2, exception , " ")| dedup exception | table exception
or
index=dotcom source=system exception earliest = -23d latest=now [search index=dotcom source=system exception earliest = -23d latest= -7d |eval exception2=exception ] |eval exception=if(exception != exception2, exception , " ")| dedup exception | table exception
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try like this:
index=dotcom source=system exception earliest = -23d latest=now NOT [search index=dotcom source=system exception earliest = -23d latest= -7d ] | dedup exception | table exception
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey,
The problem is i am still getting all the results
- A
- B
- X
- Y
May be the issue is :
Exception with value A on 1st april(Timestamp) is considered different from Exception with value A on 22nd April.
So the "NOT" is not considering them as same events. and thus I am still getting the older values.
Hope i am clear.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try this: index=dotcom source=system exception earliest = -23d latest=now NOT [search index=dotcom source=system exception earliest = -23d latest= -7d ] | dedup exception | table exception
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi try this,
index=dotcom source=system exception earliest = -7d NOT [search index=dotcom source=system exception earliest=0 latest=-7d| return 10000 exception] | dedup exception | table exception
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
try with this query:
index=dotcom source=system exception earliest = -7d | dedup exception | table exception
when you run it, splunk filter automaticaly only the events that occured in last 7 days. Thus the values of exception field cocern only the last 7 days.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Consider this scenario :
From April 1st to April 15th i got the following values of field Exception :
- A
- B
- C
- D
Now From April 16th to April 23 i got the following values :-
- A
- B
- X
- Y
In my search result i want values of field Exception which were present in the last 7 days(i.e 16th to 23rd) but not prior to that . So the result should give me
- X
- Y
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
See query that follow:
index=dotcom source=system exception ((earliest=-7d) NOT (earliest=0 latest=-7d))| dedup exception | table exception
earliest=0 latest=-7d meaning the corresponding results in the range from the beginning until it 7 days left to reach the current time.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey,
The problem is i am still getting all the results
- A
- B
- X
- Y
May be the issue is :
Exception with value A on 1st april(Timestamp) is considered different from Exception with value A on 22nd April.
So the "NOT" is not considering them as same events. and thus I am still getting the older values.
Hope i am clear.
Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps
What’s New in Splunk Observability – September 2025
Fun with Regular Expression - multiples of nine
