Re: Subsearch 2 fields with Match and 1 mismatch

rsharma1984 · ‎12-06-2017

index =ttt beforeController [search index = ttt beforeController | fields pnr, bnr, NOT(gnr)]

How can I achieve that? I am trying to subsearch same types of transactions where 2 fields needs to match exactly(pnr, bnr) but 3 one should not match(gnr).

Example:

Suppose there are 3 transactions:
1. http://cdn.xxx.yy.com/pnr=PAA&bnr=BAA&gnr=GAA&class=A]
2. http://cdn.xxx.yy.com/pnr=PAA&bnr=BAA&gnr=GAA&class=B]
3. http://cdn.xxx.yy.com/pnr=PAA&bnr=BAA&gnr=GAA2&class=c]

So here I want the transactions matching 1 and 3 or 2 and 3, where pnr and bnr should match but not gnr.

somesoni2 · ‎12-08-2017

Why not just use dedup command with all three fields so that any duplicates will be removed.

jplumsdaine22 · ‎12-08-2017

I still don't understand you. You want events 1 & 3, but 1 &2 are identical in your example

rsharma1984 · ‎12-08-2017

so basically I don't want duplicates, so you can say (1 and 3) or (2 and 3).
Not to mention timestamp for these 3 events are different.

jplumsdaine22 · ‎12-07-2017

I assume you mean you have three fields, pnr, bnr, and gnr. You want to find events where gnr is null.

index=ttt beforeController pnr=* bnr=* | where isnull(gnr)

If that's not what you're trying to do can you provide som sample events and an example of what you want the result to be?

rsharma1984 · ‎12-08-2017

I have updated the question with example. Let me know if that helps in understanding it better.

Subsearch 2 fields with Match and 1 mismatch

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability

Are you a member of the Splunk Community?

Subsearch 2 fields with Match and 1 mismatch

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability