Question on include/exclude events

Deepz2612 · ‎06-19-2019

In the logs I wanted to include events that has the string "uri=https://www.bikerace.com" and if it is not present I wanted to include events with string "BAD_REQUEST_EXCEPTION".
But at times the case is that both the strings are present and when I write a query condition with "OR" statement both gets selected.
But I wat either of it only..If the 1st string is present,only that event..If the first string is not present then i wanted to have the event with second string.

Kindly help me with it.

Thanks!

DavidHourani · ‎06-19-2019

Hi @Deepz2612,

Would be great if you could share your search string but I'm supposing that you have both fields uri and request and your search looks like this :

index=yourindex uri="https://www.bikerace.com" OR request="BAD_REQUEST_EXCEPTION"

You will need to modify the logic to make it look like this :

  index=yourindex (uri="https://www.bikerace.com" AND NOT request="BAD_REQUEST_EXCEPTION") OR (request="BAD_REQUEST_EXCEPTION" AND NOT uri="https://www.bikerace.com")

Let me know if that helps.

Cheers,
David

Question on include/exclude events

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join the Conversation

Question on include/exclude events

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk