- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to access data in rows of table and then s...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Suppose I have logged data with certain fields like id, level, message etc.
Ex:
id:123
level:warn
Message:xyz task is being performed(msg1)
I need to find all logs which have the above message logged but should not have gone through a log with message 'abc task is being performed'(msg2)
So what I was trying to do was first get all id which have msg1 then use a subsearch to search for each of those ids NOT (msg2) is found. But it isn't working and I even tried:
fields id | map search=" search sourcetype=default_abc id=* NOT "abc task is being performed" "
Sorry, I am new to this so I might be wrong with understanding a lot of it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@sai_shreyashi_penugo,
Try
Updated as per comments:
"your other search terms" "*task is being performed*"
|eventstats count(eval(searchmatch("msg1"))) as msg1Count,count(eval(searchmatch("msg2"))) as msg2Count by id
|where msg1Count>0 AND msg2Count < 1
=-=-=-=-=-=-=-=-=-=-=
"your other search terms" "*task is being performed*" NOT "*msg2"
OR
Extract the message and filter using that
"base search" | rex field=Message "performed\((?<msg>.+)\)"|where msg!="Msg2"
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@sai_shreyashi_penugo,
Try
Updated as per comments:
"your other search terms" "*task is being performed*"
|eventstats count(eval(searchmatch("msg1"))) as msg1Count,count(eval(searchmatch("msg2"))) as msg2Count by id
|where msg1Count>0 AND msg2Count < 1
=-=-=-=-=-=-=-=-=-=-=
"your other search terms" "*task is being performed*" NOT "*msg2"
OR
Extract the message and filter using that
"base search" | rex field=Message "performed\((?<msg>.+)\)"|where msg!="Msg2"
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thank you for the reply but this won't help completely in my case. I need to check for each id if it has a log with message 1 and does not have a log with message 2.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@sai_shreyashi_penugo,
What about
"your other search terms" "*task is being performed*"
|eventstats count(eval(searchmatch("msg1"))) as msg1Count,count(eval(searchmatch("msg2"))) as msg2Count by id
|where msg1Count>0 AND msg2Count < 1
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you so much! This solved it.
Introducing the Splunk Community Dashboard Challenge!
Wondering How to Build Resiliency in the Cloud?
Updated Data Management and AWS GDI Inventory in Splunk Observability
