Search for a field which is NOT success from multi...

chutz · ‎08-16-2020

Using `transaction` to trace email delivery through a chain of postfix relays, and I end up with a transaction where each relay reported a `status=`. In the normal case all of these are `status=sent` but now and then I see `status=bounced` or `status=deferred`.

How do I search for the non-success `status` when there are multiple success ones and only one non-success.

If I add `| search NOT status=sent` to the search, nothing gets matched because there is almost always a `status=sent`. Sadly, `| search status != sent` seems to behave the same way.

I could list all the other possible values so I can have `| search status=bounced OR status=deferred` but this not what I am looking for.

to4kawa · ‎08-16-2020

| makeresults
| eval status=split("success,bounced,deffered",",")
| search status="bounced"

this works fine.

| makeresults
| eval status=split("success,bounced,deffered",",")
| search NOT status="bounced"

this doesn't work fine.

If NOT works well, there is not the words.

Search for a field which is NOT success from multi-value field

eval

subsearch

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?