- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to access data in rows of table and then searc...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Suppose I have logged data with certain fields like id, level, message etc.
Ex:
id:123
level:warn
Message:xyz task is being performed(msg1)
I need to find all logs which have the above message logged but should not have gone through a log with message 'abc task is being performed'(msg2)
So what I was trying to do was first get all id which have msg1 then use a subsearch to search for each of those ids NOT (msg2) is found. But it isn't working and I even tried:
fields id | map search=" search sourcetype=default_abc id=* NOT "abc task is being performed" "
Sorry, I am new to this so I might be wrong with understanding a lot of it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@sai_shreyashi_penugo,
Try
Updated as per comments:
"your other search terms" "*task is being performed*"
|eventstats count(eval(searchmatch("msg1"))) as msg1Count,count(eval(searchmatch("msg2"))) as msg2Count by id
|where msg1Count>0 AND msg2Count < 1
=-=-=-=-=-=-=-=-=-=-=
"your other search terms" "*task is being performed*" NOT "*msg2"
OR
Extract the message and filter using that
"base search" | rex field=Message "performed\((?<msg>.+)\)"|where msg!="Msg2"
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@sai_shreyashi_penugo,
Try
Updated as per comments:
"your other search terms" "*task is being performed*"
|eventstats count(eval(searchmatch("msg1"))) as msg1Count,count(eval(searchmatch("msg2"))) as msg2Count by id
|where msg1Count>0 AND msg2Count < 1
=-=-=-=-=-=-=-=-=-=-=
"your other search terms" "*task is being performed*" NOT "*msg2"
OR
Extract the message and filter using that
"base search" | rex field=Message "performed\((?<msg>.+)\)"|where msg!="Msg2"
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thank you for the reply but this won't help completely in my case. I need to check for each id if it has a log with message 1 and does not have a log with message 2.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@sai_shreyashi_penugo,
What about
"your other search terms" "*task is being performed*"
|eventstats count(eval(searchmatch("msg1"))) as msg1Count,count(eval(searchmatch("msg2"))) as msg2Count by id
|where msg1Count>0 AND msg2Count < 1
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you so much! This solved it.
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
