×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
vickydada
New Member
Member since: ‎12-11-2015
‎09-22-2021
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎12-11-2015
View All

How to write a search which exclude events found i...

by in Splunk Search
‎12-11-2015 02:27 AM
‎12-11-2015 02:27 AM
Hi, I am facing difficulties in forming one search. Details are following. Two different searches, Search1: source="/opt/pmx6/var/log/message_log" | stats count by t Search2: source="/var/log/maillog" "Host or domain name not found" OR "Host not found"| | stats count by to Here t and to are same fields with same values. I need a consolidated search in Search1 which gives me results of count t, but exclude the events found in Search2. So far I've tried, 1) source="/opt/pmx6/var/log/message_log" | join t [search source="/var/log/maillog" "Host or domain name not found" OR "Host not found" | rename to as t] | stats count t This search gives me all the events which found respectively in Search2. (Opposite of what I want!) 2) Tried to add Splunk Suppression, index=notable| join t [search source="/var/log/maillog" "Host or domain name not found" OR "Host not found"| rename to as t] But seems like pipes are not allowed there. It would be a gr8 help. Thanks in advance guys. 🙂 ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎09-22-2021 03:24 AM