Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search Query

anandhalagaras1
Communicator
‎12-16-2020 06:50 AM

Hi Team,

I have a logfile in which I have few keywords such as ORA-1 , ORA-212, ORA-609 and similarly we have more than 100  information related to ORA- value with it.

So during the search  we want to exclude the below mentioned ORA details 

ORA-609
ORA-3136
ORA-12008
ORA-0

And the other ORA- stuffs needs to be displayed  while searching the logs so that we can create Alerting and schedule the same.

i.e. If other than ( ORA-609 , ORA-3136, ORA-12008, ORA-0) and the remaining ORA- should  be displayed as events so I can able to create the alerting for the same.

index=abc

sourcetype=def 

host=xxx

So kindly help with the query.

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎12-17-2020 01:27 AM

@anandhalagaras1, can you try below?

index=abc host=xyz ORA-* NOT ORA-609 NOT ORA-3136 NOT ORA-12008 NOT ORA-0
If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-16-2020 09:39 AM 
| regex _raw!="(ORA\-609|ORA\-3136|ORA\-12008|ORA\-0).*"
0 Karma
Reply
Solved! Jump to solution

anandhalagaras1
Communicator
‎12-17-2020 12:45 AM

@ITWhisperer ,

Thank you for your response.

With this query I can able to filter out  ORA-609, ORA-3136, ORA-12008, ORA-0 from the logs which is fine. But in the same query I want to see only the logs which contains ORA-* in the event since there are other type of events as well present in the log.

 

For better understanding , I want to see all the ORA-* logs when i search excluding the  ORA-609, ORA-3136, ORA-12008, ORA-0 

 

So kindly help with the query. 

 

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-17-2020 12:59 AM 
| regex _raw!="(ORA\-609|ORA\-3136|ORA\-12008|ORA\-0).*"
| regex _raw="ORA\-.*"
0 Karma
Reply
Solved! Jump to solution

anandhalagaras1
Communicator
‎12-17-2020 01:11 AM

@ITWhisperer 

 

Thank you for your swift response.

 

But still I can see few of the ORA-* is not captured when I use the query.

For example:

index=abc  host="xyz" | regex _raw!="(ORA\-609|ORA\-3136|ORA\-12008|ORA\-0).*" | regex _raw="ORA\-.*"

 

I can see there are events related for ORA-00020 on today as well as yesterday but when i ran the query it is not showing up this ORA-00020 eventhough it is not in the exclusion list. Similarly we have like this more ORA- things which is not showing up. 

So kindly help.

0 Karma
Reply
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎12-17-2020 01:27 AM

@anandhalagaras1, can you try below?

index=abc host=xyz ORA-* NOT ORA-609 NOT ORA-3136 NOT ORA-12008 NOT ORA-0
If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply
Solved! Jump to solution

anandhalagaras1
Communicator
‎12-17-2020 03:57 AM

@scelikok 

Thank you. It worked as expected.

Tags (1)
0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-17-2020 01:24 AM

This is because you haven't been specific enough or given examples of logs from which to work from!

What follows these codes? Is it always a space or a colon or a closing bracket or a non-digit? Basically, the regex needs something to indicate that the code is complete.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...