Splunk Search

Search Query

anandhalagaras1
Communicator

Hi Team,

I have a logfile in which I have few keywords such as ORA-1 , ORA-212, ORA-609 and similarly we have more than 100  information related to ORA- value with it.

So during the search  we want to exclude the below mentioned ORA details 

ORA-609
ORA-3136
ORA-12008
ORA-0

And the other ORA- stuffs needs to be displayed  while searching the logs so that we can create Alerting and schedule the same.

i.e. If other than ( ORA-609 , ORA-3136, ORA-12008, ORA-0) and the remaining ORA- should  be displayed as events so I can able to create the alerting for the same.

index=abc

sourcetype=def 

host=xxx

So kindly help with the query.

Labels (3)
0 Karma
1 Solution

scelikok
SplunkTrust
SplunkTrust

@anandhalagaras1, can you try below?

index=abc host=xyz ORA-* NOT ORA-609 NOT ORA-3136 NOT ORA-12008 NOT ORA-0
If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust
| regex _raw!="(ORA\-609|ORA\-3136|ORA\-12008|ORA\-0).*"
0 Karma

anandhalagaras1
Communicator

@ITWhisperer ,

Thank you for your response.

With this query I can able to filter out  ORA-609, ORA-3136, ORA-12008, ORA-0 from the logs which is fine. But in the same query I want to see only the logs which contains ORA-* in the event since there are other type of events as well present in the log.

 

For better understanding , I want to see all the ORA-* logs when i search excluding the  ORA-609, ORA-3136, ORA-12008, ORA-0 

 

So kindly help with the query. 

 

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| regex _raw!="(ORA\-609|ORA\-3136|ORA\-12008|ORA\-0).*"
| regex _raw="ORA\-.*"
0 Karma

anandhalagaras1
Communicator

@ITWhisperer 

 

Thank you for your swift response.

 

But still I can see few of the ORA-* is not captured when I use the query.

For example:

index=abc  host="xyz" | regex _raw!="(ORA\-609|ORA\-3136|ORA\-12008|ORA\-0).*" | regex _raw="ORA\-.*"

 

I can see there are events related for ORA-00020 on today as well as yesterday but when i ran the query it is not showing up this ORA-00020 eventhough it is not in the exclusion list. Similarly we have like this more ORA- things which is not showing up. 

So kindly help.

0 Karma

scelikok
SplunkTrust
SplunkTrust

@anandhalagaras1, can you try below?

index=abc host=xyz ORA-* NOT ORA-609 NOT ORA-3136 NOT ORA-12008 NOT ORA-0
If this reply helps you an upvote and "Accept as Solution" is appreciated.

anandhalagaras1
Communicator

@scelikok 

Thank you. It worked as expected.

Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

This is because you haven't been specific enough or given examples of logs from which to work from!

What follows these codes? Is it always a space or a colon or a closing bracket or a non-digit? Basically, the regex needs something to indicate that the code is complete.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...