Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Need Help With Simple NOT Search
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
andrewkenth
Communicator
12-11-2013
09:50 AM
I can't beleive I'm coming to Answers to ask this as I've done it many times before but I must be missing something that I'm hoping you can help me find.
I have a list of events by user and date and I want to show any of those user/date combiation not in the list of user date combinations below:
List of Events with Users (and Date)
index=charlesriver (sourcetype=SQLAPP_Events OR sourcetype=SQLRPT_Events) "Login succeeded for user " | bucket span=1d _time | stats count first(_time) as Date by _time, SqlServerLogon | rename SqlServerLogon as UserName
List of Allowed Users (and Date)
index=charlesriver (sourcetype=SqlServer_AppDB_Users OR sourcetype=SqlServer_RptDB_Users) | bucket span=1d _time | stats count first(_time) as Date by _time, UserName | table Date, UserName
index=charlesriver (sourcetype=SQLAPP_Events OR sourcetype=SQLRPT_Events) "Login succeeded for user " | bucket span=1d _time | stats count first(_time) as Date by _time, SqlServerLogon | rename SqlServerLogon as UserName
| search NOT [ search
index=charlesriver (sourcetype=SqlServer_AppDB_Users OR sourcetype=SqlServer_RptDB_Users) | bucket span=1d _time | stats count first(_time) as Date by _time, UserName | table Date, UserName
]
| eval Date=strftime(Date,"%m/%d/%Y") | table Date, UserName, count | sort -Date
My raw data and props.conf look like this:
"TimeStamp","ServerName","HostName","DBName","UserName","LoginType","AssociatedRole"
"Dec 10 2013 12:36AM","426420-SQLCLUS1","426099-WELLDB1","ConfigLogging","dbo","WINDOWS_USER","db_owner"
NO_BINARY_CHECK = 1
pulldown_type = 1
HEADER_MODE = firstline
FIELD_DELIMITER=,
FIELD_QUOTE="
TIME_FORMAT=%b %d %Y %H:%M%p
TIMESTAMP_FIELDS=TimeStamp
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
andrewkenth
Communicator
12-12-2013
07:36 AM
Something seemed to have been wrong with my search string as this works:
index=charlesriver (sourcetype=SQLAPP_Events OR sourcetype=SQLRPT_Events) "Login succeeded for user "
| bucket span=1d _time | stats count first(_time) as Date by _time, SqlServerLogon | rename SqlServerLogon as UserName | table Date UserName count
| search NOT [ search
index=charlesriver sourcetype=SqlServer_AppDB_Users OR sourcetype=SqlServer_RptDB_Users | bucket span=1d _time | stats count first(_time) as Date by _time, UserName | table Date UserName | sort -Date
] | eval Date=strftime(Date,"%m/%d/%Y") | table Date, UserName, count | sort -Date
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
andrewkenth
Communicator
12-12-2013
07:36 AM
Something seemed to have been wrong with my search string as this works:
index=charlesriver (sourcetype=SQLAPP_Events OR sourcetype=SQLRPT_Events) "Login succeeded for user "
| bucket span=1d _time | stats count first(_time) as Date by _time, SqlServerLogon | rename SqlServerLogon as UserName | table Date UserName count
| search NOT [ search
index=charlesriver sourcetype=SqlServer_AppDB_Users OR sourcetype=SqlServer_RptDB_Users | bucket span=1d _time | stats count first(_time) as Date by _time, UserName | table Date UserName | sort -Date
] | eval Date=strftime(Date,"%m/%d/%Y") | table Date, UserName, count | sort -Date
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
aelliott
Motivator
12-12-2013
06:32 AM
try including the trim search command in the usernames to see if there are spaces after them.
Eval UserName=trim(SqlServerLogon)
Eval UserName=trim(UserName)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
andrewkenth
Communicator
12-11-2013
02:00 PM
Unexpected meaning I almost always have a match and this search shows that there are never matches. I can manually find the same Date/UserName combination value in each list.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kristian_kolb
Ultra Champion
12-11-2013
12:15 PM
...and perhaps I should ask, 'unexpected how?'?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kristian_kolb
Ultra Champion
12-11-2013
12:12 PM
what if you use fields + Date, Username instead of table at the end of the subsearch
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
andrewkenth
Communicator
12-11-2013
12:08 PM
They do appear to be correct. Only when I combine them do I see unexpected results.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
12-11-2013
10:15 AM
Try following
index=charlesriver (sourcetype=SQLAPP_Events OR sourcetype=SQLRPT_Events) "Login succeeded for user "
| bucket span=1d _time | stats count first(_time) as Date by SqlServerLogon | rename SqlServerLogon as UserName
|search [index=charlesriver (sourcetype=SqlServer_AppDB_Users OR sourcetype=SqlServer_RptDB_Users)
| bucket span=1d _time| stats first(_time) as Date by UserName]
| eval Date=strftime(Date,"%m/%d/%Y") | table Date, UserName, count | sort -Date
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
12-11-2013
01:07 PM
No, I have missed it. Please include NOT after "search" command in line 5 of search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
andrewkenth
Communicator
12-11-2013
11:47 AM
Am I missing something though? I want everything in the 1st list that is NOT in the 2nd list. Shouldn't I be using the NOT search?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kristian_kolb
Ultra Champion
12-11-2013
10:13 AM
What do the results look like when you run the searches separately. Ok?
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!
Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain
Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...
Splunk Lantern’s Guide to The Most Popular .conf25 Sessions
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Unlock What’s Next: The Splunk Cloud Platform at .conf25
In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...
