Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to use NOT-EXISTS in SPLUNK ?

Real_captain
Path Finder
‎02-09-2024 01:01 AM

Hi 

I want to create a search to find all the events for which last row exists but there is atleast 1 row missing. Example is attached below : 

Splunk Query : 

`macro_events_prod_gch_comms_esa` 
gch_messageType="Seev.047*" host="p*" gch_status="*" NOT"BCS" | table BO_PageNumber,BO_LastPage,gch_status
|rename BO_PageNumber as PageNo , BO_LastPage as LastPage , gch_status as Status
| sort by PageNo

Requirement is find all the events for which LastPage as True exists and there is atleast 1 row missing with PageNo  less than the PageNo of row with  LastPage as True.  

 

 

 

Real_captain_0-1707469094624.png

 

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-09-2024 01:09 AM 
| streamstats count
| where PageNo != count
0 Karma
Reply
Get Updates on the Splunk Community!

Transforming Financial Data into Fraud Intelligence

Every day, banks and financial companies handle millions of transactions, logins, and customer interactions ...

How to send events & findings from AWS to Splunk using Amazon EventBridge

Amazon EventBridge is a serverless service that uses events to connect application components together, making ...

Exciting News: The AppDynamics Community Joins Splunk!

Hello Splunkers,   I’d like to introduce myself—I’m Ryan, the former AppDynamics Community Manager, and I’m ...
li.common.scroll-to.top