Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Nested Search Question

mmccaugh9472
Observer
‎11-09-2020 10:01 AM

OK I have been reading most of the morning and I have to just be missing something very simple.

To explain what I am trying to do.

1. Lets take the simple query index=* host=*test*|dedup host|table host

This will obviously give me a unique list of hosts.

2. Second Query index=* host=*test* "Bleebles"|dedup host|table host

This query will give me a unique list of hosts where the string "Bleebles" was found. (Obviously this is just example data)

What I am trying (And failing) at is marrying these two queries up, and returning ONLY hostnames that DO NOT return records with the string "Bleebles" but of course issue #1 is when I invert the logic on search #2 I get EVERY record that has been splunked and doesn't match (Which is literally all the data) 

Can anyone help with the logic I am missing here, using the two very basic queries above how would I first generate the full host list (That's the easy part) but then print a deduped list of hostnames that did NOT return a result in query #2, thereby giving me an exceptions list?

 

 

Labels (1)
Labels
0 Karma
Reply

somesoni2
Revered Legend
‎11-09-2020 12:33 PM

Try something like this:

 

index=* host=*test* | eval hasString=if(match(_raw,"Bleebles"),1,0) | stats max(hasString) as hasString by host | where hasString=0 |table host
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-09-2020 11:21 AM 
index=* host=*test* | where not match(_raw,"Bleebles")|dedup host|table host
0 Karma
Reply

mmccaugh9472
Observer
‎11-09-2020 12:12 PM

This one still gives me the entire list (Not just the exceptions) but what I wrote does work, I just need to figure out why it takes so long to run and what I can do to improve it.

But at least it is accurate which is a start! 

0 Karma
Reply

mmccaugh9472
Observer
‎11-09-2020 10:28 AM

OK I think I may have finally figured this out, posting what I did in case anyone else comes across this down the line.

 

index=* host=*test* | join type=outer host [ search index=* host=*test* "Bleebles" | stats count by host ] | where isnull(count) | dedup host | table host | sort by host

This appears to be working so far!

 

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...