Splunk Search

Search for a field which is NOT success from multi-value field

chutz
Engager

Using `transaction` to trace email delivery through a chain of postfix relays, and I end up with a transaction where each relay reported a `status=`. In the normal case all of these are `status=sent` but now and then I see `status=bounced` or `status=deferred`.

How do I search for the non-success `status` when there are multiple success ones and only one non-success.

If I add `| search NOT status=sent` to the search, nothing gets matched because there is almost always a `status=sent`. Sadly, `| search status != sent` seems to behave the same way.

I could list all the other possible values so I can have `| search status=bounced OR status=deferred` but this not what I am looking for.

Labels (2)
Tags (1)
0 Karma

to4kawa
Ultra Champion
| makeresults
| eval status=split("success,bounced,deffered",",")
| search status="bounced"

this works fine.

| makeresults
| eval status=split("success,bounced,deffered",",")
| search NOT status="bounced"

this doesn't work fine.

If NOT works well, there is not the words.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...