Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

If then statement where the output will exclude a value from search.

jared_anderson
Path Finder
‎10-09-2017 08:27 AM

I want a statement that will evaluate field A, and if the value of field A equals 1, then I want to exclude any value of field B from the search.

Tags (2)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-09-2017 09:00 AM

Hi jared_anderson,
modify your main search to have only the events you want

sourcetype="email" MailDirectionField=inbound | transaction MID | ...

Bye.
Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-09-2017 09:10 AM

Hi jared_anderson,
try

 sourcetype="email" MailDirectionField!=outbound | transaction MID | ...

Bye.
Giuseppe

0 Karma
Reply

jared_anderson
Path Finder
‎10-09-2017 10:26 AM

the problem with that is then that will only remove one event when there are 20+ events that contain that MID.

event1, maildirection=outbound, MID=123
event2, sourceuser=user1, MID=123
event3, destinationuser=user2, MID=123

event1, maildirection=outbound, MID=124
event2, sourceuser=user1, MID=124
event3, destinationuser=user2, MID=124

event1, maildirection=outbound, MID=125
event2, sourceuser=user1, MID=125
event3, destinationuser=user2, MID=125

in that last search each event1 would not be returned, but the rest of the events with MID 123, 124 and 125 would be returned.

0 Karma
Reply

pradeepkumarg
Influencer
‎10-09-2017 08:36 AM

Something like below?

...| eval fieldA = myEvalFunction | search NOT (fieldA=1 AND fieldB=*)
0 Karma
Reply

jared_anderson
Path Finder
‎10-09-2017 08:46 AM

So i have email events, where a series of logs have the same Message ID (MID).

So instead of having to run:
sourcetype="email" | transaction MID |

I want to limit the number of entries and only search against MailDirectionField=inbound. Not every event has MailDirectionField, but they do have the MID field. so I want my evaluation to state that if MailDirectionField=inbound then NOT MID associated with that event.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...