Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to display the difference between main search and subsearch

mm7
Explorer
‎10-10-2023 09:43 AM

assuming I have this log history:

[sent] task=abc, id=123

[sent] task=abc, id=456

[success] task=abc, id=123

I would like to get a list of all ids that are "sent" but did not get a "success", so in the above example it should just be "456"

my current query looks something like this

 

"abc" AND "sent"
| table id
| rename id as "sent_ids"
| appendcols [
  search "abc" AND "success"
  | table id
  | rename id as "success_ids"
]

 

 

this gets me a table with the 2 columns, and I'm stuck on how to "left exclusive join" the two columns to get the unique ids.

or maybe I'm approaching this entirely wrong and there is a much easier solution?

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-10-2023 10:21 AM

Hi @mm7 ,

please try something like this:

<your_search>
| rex "^\[(?<status>[^\]]*)"
| stats dc(status) AS status_count values(status) AS status BY task id
| where status_count=1 AND status="sent"
| table task id status

ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-10-2023 10:21 AM

Hi @mm7 ,

please try something like this:

<your_search>
| rex "^\[(?<status>[^\]]*)"
| stats dc(status) AS status_count values(status) AS status BY task id
| where status_count=1 AND status="sent"
| table task id status

ciao.

Giuseppe

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-10-2023 10:33 AM

Hi @mm7 ,

you could extract the status field as a permanent field so you don't need to extract in the search or use eval(searchmatch) but this is the faster way.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

mm7
Explorer
‎10-10-2023 10:28 AM

wow this is so much cleaner and faster! did not think to regex out the status string

thank you!

0 Karma
Reply
Solved! Jump to solution

mm7
Explorer
‎10-10-2023 10:08 AM

figured it out, changed "appendcols" to "append" and added this to the end

 

| stats count(id) AS "count" by id
| where count==1

 

there is probably a better way, open to take other answers, thanks!

EDIT: accepted a way better solution

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...