Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Result that does not match an item in list

vschrodda
Explorer
‎06-18-2021 10:29 AM

 

With a search I would like a result that does NOT match an element in a list

For instance:

 

 

 

index=myindex source="mysource_*" earliest-30m

 

 

 

I'd like to compare the sources against a list, such as:

 

 

 

("*one","*two","*three")

 

 

 

If the search results, for instance, DON'T include events with the source "mysource_three" I would like a result that states this.  Ultimately, I'm looking to create an alert based on the query; if there are no events seen from some sources in the last 30 minutes.

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

vschrodda
Explorer
‎06-18-2021 04:19 PM

Figured out what I needed

index=myindex source="mysource_*" earliest=-30m | stats count by source | table source | eval Found=1 | append [|inputlookup mylookup_table.csv | table source | eval Found=0] | stats max(Found) as Found by source | where Found=0

View solution in original post

Reply
Solved! Jump to solution
Solution

vschrodda
Explorer
‎06-18-2021 04:19 PM

Figured out what I needed

index=myindex source="mysource_*" earliest=-30m | stats count by source | table source | eval Found=1 | append [|inputlookup mylookup_table.csv | table source | eval Found=0] | stats max(Found) as Found by source | where Found=0
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎06-18-2021 12:26 PM

Perhaps this will get you started.

index=myindex source="mysource_*" earliest-30m
| regex source!="mysource_(?:one|two|three)"

If you get any results, then trigger an alert.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

vschrodda
Explorer
‎06-18-2021 12:49 PM

This results in a 'source' that did not match an element in the list.  I can do this without issue.  I'm trying to determine which element(s) did not have any matching events (there would be no matching events in the last 30 minutes)

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎06-18-2021 02:18 PM

I got lost with all the negatives in that.  What problem are you trying to solve?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

vschrodda
Explorer
‎06-18-2021 03:14 PM

I'm simply trying to determine/list any elements ("*one","*two","*three")  did not have any matching events in given time frame

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...