Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Nested Search Question

mmccaugh9472
Observer
‎11-09-2020 10:01 AM

OK I have been reading most of the morning and I have to just be missing something very simple.

To explain what I am trying to do.

1. Lets take the simple query index=* host=*test*|dedup host|table host

This will obviously give me a unique list of hosts.

2. Second Query index=* host=*test* "Bleebles"|dedup host|table host

This query will give me a unique list of hosts where the string "Bleebles" was found. (Obviously this is just example data)

What I am trying (And failing) at is marrying these two queries up, and returning ONLY hostnames that DO NOT return records with the string "Bleebles" but of course issue #1 is when I invert the logic on search #2 I get EVERY record that has been splunked and doesn't match (Which is literally all the data) 

Can anyone help with the logic I am missing here, using the two very basic queries above how would I first generate the full host list (That's the easy part) but then print a deduped list of hostnames that did NOT return a result in query #2, thereby giving me an exceptions list?

 

 

Labels (1)
Labels
0 Karma
Reply

somesoni2
Revered Legend
‎11-09-2020 12:33 PM

Try something like this:

 

index=* host=*test* | eval hasString=if(match(_raw,"Bleebles"),1,0) | stats max(hasString) as hasString by host | where hasString=0 |table host
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-09-2020 11:21 AM 
index=* host=*test* | where not match(_raw,"Bleebles")|dedup host|table host
0 Karma
Reply

mmccaugh9472
Observer
‎11-09-2020 12:12 PM

This one still gives me the entire list (Not just the exceptions) but what I wrote does work, I just need to figure out why it takes so long to run and what I can do to improve it.

But at least it is accurate which is a start! 

0 Karma
Reply

mmccaugh9472
Observer
‎11-09-2020 10:28 AM

OK I think I may have finally figured this out, posting what I did in case anyone else comes across this down the line.

 

index=* host=*test* | join type=outer host [ search index=* host=*test* "Bleebles" | stats count by host ] | where isnull(count) | dedup host | table host | sort by host

This appears to be working so far!

 

0 Karma
Reply
Get Updates on the Splunk Community!

Exciting News: The AppDynamics Community Joins Splunk!

Hello Splunkers,   I’d like to introduce myself—I’m Ryan, the former AppDynamics Community Manager, and I’m ...

The All New Performance Insights for Splunk

Splunk gives you amazing tools to analyze system data and make business-critical decisions, react to issues, ...

Good Sourcetype Naming

When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...
li.common.scroll-to.top