Splunk Search

Search Query

anandhalagaras1
Communicator

Hi Team,

I have a logfile in which I have few keywords such as ORA-1 , ORA-212, ORA-609 and similarly we have more than 100  information related to ORA- value with it.

So during the search  we want to exclude the below mentioned ORA details 

ORA-609
ORA-3136
ORA-12008
ORA-0

And the other ORA- stuffs needs to be displayed  while searching the logs so that we can create Alerting and schedule the same.

i.e. If other than ( ORA-609 , ORA-3136, ORA-12008, ORA-0) and the remaining ORA- should  be displayed as events so I can able to create the alerting for the same.

index=abc

sourcetype=def 

host=xxx

So kindly help with the query.

Labels (3)
0 Karma
1 Solution

scelikok
SplunkTrust
SplunkTrust

@anandhalagaras1, can you try below?

index=abc host=xyz ORA-* NOT ORA-609 NOT ORA-3136 NOT ORA-12008 NOT ORA-0
If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust
| regex _raw!="(ORA\-609|ORA\-3136|ORA\-12008|ORA\-0).*"
0 Karma

anandhalagaras1
Communicator

@ITWhisperer ,

Thank you for your response.

With this query I can able to filter out  ORA-609, ORA-3136, ORA-12008, ORA-0 from the logs which is fine. But in the same query I want to see only the logs which contains ORA-* in the event since there are other type of events as well present in the log.

 

For better understanding , I want to see all the ORA-* logs when i search excluding the  ORA-609, ORA-3136, ORA-12008, ORA-0 

 

So kindly help with the query. 

 

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| regex _raw!="(ORA\-609|ORA\-3136|ORA\-12008|ORA\-0).*"
| regex _raw="ORA\-.*"
0 Karma

anandhalagaras1
Communicator

@ITWhisperer 

 

Thank you for your swift response.

 

But still I can see few of the ORA-* is not captured when I use the query.

For example:

index=abc  host="xyz" | regex _raw!="(ORA\-609|ORA\-3136|ORA\-12008|ORA\-0).*" | regex _raw="ORA\-.*"

 

I can see there are events related for ORA-00020 on today as well as yesterday but when i ran the query it is not showing up this ORA-00020 eventhough it is not in the exclusion list. Similarly we have like this more ORA- things which is not showing up. 

So kindly help.

0 Karma

scelikok
SplunkTrust
SplunkTrust

@anandhalagaras1, can you try below?

index=abc host=xyz ORA-* NOT ORA-609 NOT ORA-3136 NOT ORA-12008 NOT ORA-0
If this reply helps you an upvote and "Accept as Solution" is appreciated.

anandhalagaras1
Communicator

@scelikok 

Thank you. It worked as expected.

Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

This is because you haven't been specific enough or given examples of logs from which to work from!

What follows these codes? Is it always a space or a colon or a closing bracket or a non-digit? Basically, the regex needs something to indicate that the code is complete.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...