Hi ,
I would like to know boolean operators will work for different time stamp indexed data. What I understood is it look into only the indexed data on the same time stamp. I am not sure that it will look into the entire source file? Can you please confirm will it look for entire source file or only that specific time stamp indexed line. And In my case I have logs like
10:00:01 PM KERNEL RECYCLING: Terminated for recycling
10:00:02 PM API ipcSawUnregisterProcV1
10:00:03 PM Handle State structures to abandoned
10:00:04 PM Error: Failed to validate User handle
I want to get the alert only if that source has "Handle State structures to abandoned" this message and not this one in the same source "KERNEL RECYCLING" in the same source. I have tried the below in search
Handle State structures to abandoned NOT (KERNEL RECYCLING)
but it is not working for me. in this search am getting the results which has Kernel Recycling message. so I though as both the strings are in different index data, splunk is unable to pick it up. Please help me on this one,
Thank You!
... View more