Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

If I have DataError field which has 10 different message text but I need to exclude 2 out 10 and 8 as stats result?

Naga1
Loves-to-Learn Lots
‎05-28-2023 08:27 PM

If I have DataError field which has 10 different message text but I need to exclude two out 10 I need only 8 as stats result ?Please suggest any solution here?

Labels (2)
Labels
0 Karma
Reply

yeahnah
Motivator
‎05-28-2023 08:59 PM

Hi @Naga1 

The are a number of methods.

As you have not provided any example of the DataError field values, I'll assume they are short and concise.  Generally, the simplest and most efficient way is do exclude them at base search time.  Something like this

...your search query... NOT DataError IN("value1 to exclude", "value1 to exclude")  ``` this will exclude the 2 DataError messages you want to ignore``` 
| stats count BY DataError

Or, it can be just as quick to do the stats count on all values and then exclude the ones you do not want to see afterwards.

...your search query... 
| stats count BY DataError
| search NOT DataError IN("value1 to exclude", "value1 to exclude")

It really depends on the data.

Anyway, hope that helps get you going.

0 Karma
Reply

Naga1
Loves-to-Learn Lots
‎05-29-2023 12:07 AM

If I have long values with lot of special character and quotation mark(")How the search string differs between value and separator.

 

Long errors may be : 

1. ART.117.4002] Adapter Runtime (Adapter Service): Unable to invoke adapter service cip.atsJob.connectors.cipdb.jobCatalog:saveJobCatalog with connection cip.atsJob.connectors.cipdb:atsJobDb.
[ADA.1.316] Cannot execute the SQL statement "?= call SAVE_JOB_CATALOG( ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)". "
(23000/1400) ORA-01400: cannot insert NULL into ("ATSJOB"."ATS_JOB_CATALOG"."JOB_TITLE")
ORA-06512: at "ATSJOB.SAVE_JOB_CATALOG", line 55
ORA-06512: at line 1 "
ORA-01400: cannot insert NULL into ("ATSJOB"."ATS_JOB_CATALOG"."JOB_TITLE")
ORA-06512: at "ATSJOB.SAVE_JOB_CATALOG", line 55
ORA-06512: at line 1

 

 

2. "Error in ATS_JOB_FEED.AVATURE_GLOBAL job processing either jobTitle or JobDescription value is null,chk ATS_JOB_CATALOG for job details using job code:%dynamic value% and ATS code:AVATURE_GLOBAL
See CIP Framework Log for more details, Interface Code: ATS_JOB_FEED.AVATURE_GLOBAL”

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...

Enterprise Security Content Update (ESCU) | New Releases

In April, the Splunk Threat Research Team had 2 releases of new security content via the Enterprise Security ...