Search for a field which is NOT success from multi...

chutz · ‎08-16-2020

Using `transaction` to trace email delivery through a chain of postfix relays, and I end up with a transaction where each relay reported a `status=`. In the normal case all of these are `status=sent` but now and then I see `status=bounced` or `status=deferred`.

How do I search for the non-success `status` when there are multiple success ones and only one non-success.

If I add `| search NOT status=sent` to the search, nothing gets matched because there is almost always a `status=sent`. Sadly, `| search status != sent` seems to behave the same way.

I could list all the other possible values so I can have `| search status=bounced OR status=deferred` but this not what I am looking for.

to4kawa · ‎08-16-2020

| makeresults
| eval status=split("success,bounced,deffered",",")
| search status="bounced"

this works fine.

| makeresults
| eval status=split("success,bounced,deffered",",")
| search NOT status="bounced"

this doesn't work fine.

If NOT works well, there is not the words.

Search for a field which is NOT success from multi-value field

eval

subsearch

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Splunk Observability for AI

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

Are you a member of the Splunk Community?