Splunk Search
Highlighted

How to write a search to show events that do not meet transaction requirements?

Explorer

Hello,

I am trying to find a way to show events which are not meeting transaction requirements. So of course I can't use |transaction. I was thinking to use eval if or case, but I would be grateful for help. What I've got is:

index=abc host=server
source="C:\\...\\Logs\\ex*"
OR source="C:\\...\\cmdout1.log"
OR source="C:\\...\\cmdout2.log"

created OR encrypt

|rex "(?:(?<date_cre>\d{4}\-\d{2}\-\d{2} \d{2}\:\d{2}\:\d{2}).*|(?:(?<encry>encrypt)\.cmd\s))(?<FileN>\d{5}\-\w\-\w\-\d{5}\-\d{8}\-\d{2}\-\d)(?:.*\nStarted at\: (?<date_enc>[ \/0-9\:]*))?"
|stats values(*) as * by FileN
|table data_cre FileN encry date_enc

All works fine, but from results, I'd like to get rid of some events. Rule would be: ignore if "created" and "encrypt" matches FileN. That way, I would see only those files that didn't make it to the "encryption" step, which means error for those files.

Thanks,
- F.

0 Karma
Highlighted

Re: How to write a search to show events that do not meet transaction requirements?

Motivator

Can you please post an example of an event you want to discard? Especially the value of the FileN field would be interesting, as this is the one you want to compare with your search strings.

0 Karma
Highlighted

Re: How to write a search to show events that do not meet transaction requirements?

Explorer

There are two events. One is "created", which says file was created in system correctly, and second is "encrypt", which says file was processed correctly. As you can see, i've made a table out of it. As final result, i want table not to show those rows, which have encrypt event matched.

In events below "90004-K-P-60721-01-30430489-14" is FileN, and it occurs in both "created" and "encrypt".

Event #1 "encrypt" - this i want to hide
Command: c:(cut)pgpencrypt.cmd 90004-K-P-60721-01-30430489-14.zip.end \(cut)\plpic
... 3 lines omitted ...
(cut)
... 21 lines omitted ...
C:(cut)>if on == on echo Thu 07/28/2016- 8:30:08.91 OK - launch "c:(cut)pgp_encrypt.cmd" 90004-K-P-60721-01-30430489-14.zip.end \(cut)\script-072816-083008-15583.log
... 45 lines omitted ...
0x1419A3FE:encrypt ( (cut) )
\(cut)\90004-K-P-60721-01-30430489-14.zip:encrypt ( (cut) \OUT\90004-K-P-60721-01-30430489-14.zip.pgp)

Event #2 "created"
2016-07-28 06:24:24 80.55.107.10 - (cut) [2035]created /90004-K-P-60721-01-30430489-14.fwd.pgp - 226 - 218196 - 22

0 Karma
Highlighted

Re: How to write a search to show events that do not meet transaction requirements?

SplunkTrust
SplunkTrust

Give this a try

 index=abc host=server source="C:\\...\\Logs\\ex*" OR source="C:\\...\\cmdout1.log" OR source="C:\\...\\cmdout2.log" 
 created OR encrypt  | eval type=if(match(_raw,"created"),"created","encrypt")
 |rex "(?:(?<date_cre>\d{4}\-\d{2}\-\d{2} \d{2}\:\d{2}\:\d{2}).*|(?:(?<encry>encrypt)\.cmd\s))(?<FileN>\d{5}\-\w\-\w\-\d{5}\-\d{8}\-\d{2}\-\d)(?:.*\nStarted at\: (?<date_enc>[ \/0-9\:]*))?"
 |stats values(*) as * by FileN | where mvcount(type)=1
 |table data_cre FileN encry date_enc type
0 Karma
Highlighted

Re: How to write a search to show events that do not meet transaction requirements?

Explorer

Yeah i'm bloody idiot... It was soooo simple, almost like somesoni2 suggested.
I wanted to post it yesterday, but Karma didn't let me post more than 2 each day.

|rex "(?:(?<date_cre>\d{4}\-\d{2}\-\d{2} \d{2}\:\d{2}\:\d{2}).*|(?:(?<encry>encrypt)\.cmd\s))(?<FileN>\d{5}\-\w\-\w\-\d{5}\-\d{8}\-\d{2}\-\d)(?:.*\nStarted at\: (?<date_enc>[ \/0-9\:]*))?"
 |stats values(*) as * by FileN
 |eval processed=if(match(date_enc, "\d"), "Yep", "Nope")
 |table data_cre FileN processed date_enc
 |search processed="Nope"

Because dateenc always have first digit, i can easy check on it. And if file didn't made it to the encryption step, field "dateenc" is empty. To find error files i only needed to search for it. Thanks for help anyway 🙂

View solution in original post

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.