Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to write a search which exclude events found in another source based on some string?

vickydada
New Member
‎12-11-2015 02:27 AM

Hi,

I am facing difficulties in forming one search. Details are following.

Two different searches,

Search1: 

source="/opt/pmx6/var/log/message_log" | stats count by t

Search2: 

source="/var/log/maillog" "Host or domain name not found" OR "Host not found"| | stats count by to

Here t and to are same fields with same values.

I need a consolidated search in Search1 which gives me results of count t, but exclude the events found in Search2.

So far I've tried,

1)

source="/opt/pmx6/var/log/message_log" | join t [search source="/var/log/maillog" "Host or domain name not found" OR "Host not found" | rename to as t] | stats count t

This search gives me all the events which found respectively in Search2. (Opposite of what I want!)

2)
Tried to add Splunk Suppression,

index=notable| join t [search source="/var/log/maillog" "Host or domain name not found" OR "Host not found"| rename to as t]

But seems like pipes are not allowed there.

It would be a gr8 help. Thanks in advance guys. 🙂

0 Karma
Reply

twinspop
Influencer
‎12-11-2015 03:57 PM 
source="/opt/pmx6/var/log/message_log" NOT [search source="/var/log/maillog" "Host or domain name not found" OR "Host not found"| stats count by to | rename to as t | fields t ] | stats count by t

Another option, potentially avoiding limit issues re: the sub search returning too many results. Use a join with some extra logic:

source="/opt/pmx6/var/log/message_log" | stats count as good by t | join type=outer t  [ search source="/var/log/maillog" "Host or domain name not found" OR "Host not found"| stats count as bad by to | rename to as t ] | where isnotnull(good) and isnull(bad)

The where statement will only keep those rows that have results from search1 AND NOT results from search2.

0 Karma
Reply

sundareshr
Legend
‎12-11-2015 06:42 AM

See if this gets you what you are looking for.

source="/opt/pmx6/var/log/message_log" OR source="/var/log/maillog" NOT ("Host or domain name not found" OR "Host not found") | eval tto=coalesce(t, to) | stats count by tto
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...