Splunk Search

ignore certain occurances out of multiple occurances in an event

explorer436
New Member

Hello,
I have a log file with a bunch of entries like this:

[INFO ] Wed, 5 Apr 2017 at 08:19:52 AM EDT TestClass [Default Executor-thread-32224] - [{DetailedStatus[{DetailedStatusCd=AccountNumber,DetailedStatusDesc=ABCD12345};{DetailedStatusCd=VALUE01,DetailedStatusDesc=DetailedMessage1};{DetailedStatusCd=VALUE05,DetailedStatusDesc=DetailedMessage5};]}]
[INFO ] Wed, 5 Apr 2017 at 08:19:52 AM EDT TestClass [Default Executor-thread-32224] - [{DetailedStatus[{DetailedStatusCd=AccountNumber,DetailedStatusDesc=ABCD12345};{DetailedStatusCd=VALUE02,DetailedStatusDesc=DetailedMessage2};{DetailedStatusCd=VALUE06,DetailedStatusDesc=DetailedMessage6};]}]
[INFO ] Wed, 5 Apr 2017 at 08:19:52 AM EDT TestClass [Default Executor-thread-32224] - [{DetailedStatus[{DetailedStatusCd=AccountNumber,DetailedStatusDesc=ABCD12345};{DetailedStatusCd=VALUE03,DetailedStatusDesc=DetailedMessage3};{DetailedStatusCd=VALUE07,DetailedStatusDesc=DetailedMessage7};]}]
[INFO ] Wed, 5 Apr 2017 at 08:19:52 AM EDT TestClass [Default Executor-thread-32224] - [{DetailedStatus[{DetailedStatusCd=AccountNumber,DetailedStatusDesc=ABCD12345};{DetailedStatusCd=VALUE04,DetailedStatusDesc=DetailedMessage4};{DetailedStatusCd=VALUE08,DetailedStatusDesc=DetailedMessage8};]}]
[INFO ] Wed, 5 Apr 2017 at 08:19:52 AM EDT TestClass [Default Executor-thread-32224] - [{DetailedStatus[{DetailedStatusCd=AccountNumber,DetailedStatusDesc=ABCD12345};{DetailedStatusCd=VALUE09,DetailedStatusDesc=DetailedMessage9};]}]

I am trying to plot a pie chart to show the DetailedStatusCd using stats count. I don't want to look at the DetailedStatusCd if the value is "AccountNumber". So my result set should contain VALUE01, VALUE02, VALUE03, etc.
If I say NOT DetailedStatusCd=AccountNumber, Splunk is skipping the entire event.

How can I plot this data?

Tags (1)
0 Karma

somesoni2
Revered Legend

I'm guessing Splunk is giving you a multivalued field DetailedStatusCd with value AccountNumber, VALUE01, VALUE02.... IF that's the case, try like this

your base search giving multivalued field DetailedStatusCd 
| eval DetailedStatusCd =mvfilter(NOT match(DetailedStatusCd,"AccountNumber"))
| stats count by....
0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...