Splunk Search

How to use NOT-EXISTS in SPLUNK ?

Real_captain
Path Finder

Hi 

I want to create a search to find all the events for which last row exists but there is atleast 1 row missing. Example is attached below : 

Splunk Query : 

`macro_events_prod_gch_comms_esa` 
gch_messageType="Seev.047*" host="p*" gch_status="*" NOT"BCS" | table BO_PageNumber,BO_LastPage,gch_status
|rename BO_PageNumber as PageNo , BO_LastPage as LastPage , gch_status as Status
| sort by PageNo

Requirement is find all the events for which LastPage as True exists and there is atleast 1 row missing with PageNo  less than the PageNo of row with  LastPage as True.  

 

 

 

Real_captain_0-1707469094624.png

 

Labels (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| streamstats count
| where PageNo != count
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...