Splunk Search

filter by only failed events which never passed

vishwasgopala
Engager
INFO [] () process='isValid', result='failed', dacNumber='[DAC_111_646]',  accountNumber=1122333
INFO [] () process='isValid', result='failed', dacNumber='[DAC_111_777]',  accountNumber=1122333
INFO [] () process='isValid', result='failed', dacNumber='[DAC_111_888]',  accountNumber=1122333
 INFO [] () process='isValid', result='success', dacNumber='[DAC_111_777]',  accountNumber=1122333
 INFO [] () process='isValid', result='success', dacNumber='[DAC_111_999]',  accountNumber=1122333
 INFO [] () process='isValid', result='success', dacNumber='[DAC_111_646]',  accountNumber=1122333

 

How to get all failed dacNumber which never passed.  In the above example it should give me DAC_111_777. Please help.

 

Labels (2)
Tags (3)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Select the most recent event for each dacNumber then discard the successful ones.  The remainder will be failures.  In SPL:

... | dedup dacNumber
| where result = failed
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

ashvinpandey
Contributor

@vishwasgopala Try adding the below query after you index=<<anything>>

| rex field=_raw "result\=\'(?P<result>\w+).*dacNumber\=\'\[(?P<dacNumber>.*?)\]"
| search result="failed"
| dedup dacNumber
| table dacNumber result

Also if this reply helped you in solving your problem an up-vote would be appreciated.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Select the most recent event for each dacNumber then discard the successful ones.  The remainder will be failures.  In SPL:

... | dedup dacNumber
| where result = failed
---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...