Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Result that does not match an item in list

vschrodda
Explorer
‎06-18-2021 10:29 AM

 

With a search I would like a result that does NOT match an element in a list

For instance:

 

 

 

index=myindex source="mysource_*" earliest-30m

 

 

 

I'd like to compare the sources against a list, such as:

 

 

 

("*one","*two","*three")

 

 

 

If the search results, for instance, DON'T include events with the source "mysource_three" I would like a result that states this.  Ultimately, I'm looking to create an alert based on the query; if there are no events seen from some sources in the last 30 minutes.

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

vschrodda
Explorer
‎06-18-2021 04:19 PM

Figured out what I needed

index=myindex source="mysource_*" earliest=-30m | stats count by source | table source | eval Found=1 | append [|inputlookup mylookup_table.csv | table source | eval Found=0] | stats max(Found) as Found by source | where Found=0

View solution in original post

Reply
Solved! Jump to solution
Solution

vschrodda
Explorer
‎06-18-2021 04:19 PM

Figured out what I needed

index=myindex source="mysource_*" earliest=-30m | stats count by source | table source | eval Found=1 | append [|inputlookup mylookup_table.csv | table source | eval Found=0] | stats max(Found) as Found by source | where Found=0
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎06-18-2021 12:26 PM

Perhaps this will get you started.

index=myindex source="mysource_*" earliest-30m
| regex source!="mysource_(?:one|two|three)"

If you get any results, then trigger an alert.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

vschrodda
Explorer
‎06-18-2021 12:49 PM

This results in a 'source' that did not match an element in the list.  I can do this without issue.  I'm trying to determine which element(s) did not have any matching events (there would be no matching events in the last 30 minutes)

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎06-18-2021 02:18 PM

I got lost with all the negatives in that.  What problem are you trying to solve?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

vschrodda
Explorer
‎06-18-2021 03:14 PM

I'm simply trying to determine/list any elements ("*one","*two","*three")  did not have any matching events in given time frame

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...