Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Nested Search Question

mmccaugh9472
Observer
‎11-09-2020 10:01 AM

OK I have been reading most of the morning and I have to just be missing something very simple.

To explain what I am trying to do.

1. Lets take the simple query index=* host=*test*|dedup host|table host

This will obviously give me a unique list of hosts.

2. Second Query index=* host=*test* "Bleebles"|dedup host|table host

This query will give me a unique list of hosts where the string "Bleebles" was found. (Obviously this is just example data)

What I am trying (And failing) at is marrying these two queries up, and returning ONLY hostnames that DO NOT return records with the string "Bleebles" but of course issue #1 is when I invert the logic on search #2 I get EVERY record that has been splunked and doesn't match (Which is literally all the data) 

Can anyone help with the logic I am missing here, using the two very basic queries above how would I first generate the full host list (That's the easy part) but then print a deduped list of hostnames that did NOT return a result in query #2, thereby giving me an exceptions list?

 

 

Labels (1)
Labels
0 Karma
Reply

somesoni2
Revered Legend
‎11-09-2020 12:33 PM

Try something like this:

 

index=* host=*test* | eval hasString=if(match(_raw,"Bleebles"),1,0) | stats max(hasString) as hasString by host | where hasString=0 |table host
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-09-2020 11:21 AM 
index=* host=*test* | where not match(_raw,"Bleebles")|dedup host|table host
0 Karma
Reply

mmccaugh9472
Observer
‎11-09-2020 12:12 PM

This one still gives me the entire list (Not just the exceptions) but what I wrote does work, I just need to figure out why it takes so long to run and what I can do to improve it.

But at least it is accurate which is a start! 

0 Karma
Reply

mmccaugh9472
Observer
‎11-09-2020 10:28 AM

OK I think I may have finally figured this out, posting what I did in case anyone else comes across this down the line.

 

index=* host=*test* | join type=outer host [ search index=* host=*test* "Bleebles" | stats count by host ] | where isnull(count) | dedup host | table host | sort by host

This appears to be working so far!

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security: Your Command Center for PCI DSS Compliance

Every security professional knows the drill. The PCI DSS audit is approaching, and suddenly everyone's asking ...

Developer Spotlight with Guilhem Marchand

From Splunk Engineer to Founder: The Journey Behind TrackMe    After spending over 12 years working full time ...

Cisco Catalyst Center Meets Splunk ITSI: From 'Payments Are Down' to Root Cause in ...

The Problem: When Networks and Services Don't Talk Payment systems fail at a retail location. Customers are ...