If then statement where the output will exclude a ...

jared_anderson · ‎10-09-2017

I want a statement that will evaluate field A, and if the value of field A equals 1, then I want to exclude any value of field B from the search.

gcusello · ‎10-09-2017

Hi jared_anderson,
modify your main search to have only the events you want

sourcetype="email" MailDirectionField=inbound | transaction MID | ...

Bye.
Giuseppe

gcusello · ‎10-09-2017

Hi jared_anderson,
try

 sourcetype="email" MailDirectionField!=outbound | transaction MID | ...

Bye.
Giuseppe

jared_anderson · ‎10-09-2017

the problem with that is then that will only remove one event when there are 20+ events that contain that MID.

event1, maildirection=outbound, MID=123
event2, sourceuser=user1, MID=123
event3, destinationuser=user2, MID=123

event1, maildirection=outbound, MID=124
event2, sourceuser=user1, MID=124
event3, destinationuser=user2, MID=124

event1, maildirection=outbound, MID=125
event2, sourceuser=user1, MID=125
event3, destinationuser=user2, MID=125

in that last search each event1 would not be returned, but the rest of the events with MID 123, 124 and 125 would be returned.

pradeepkumarg · ‎10-09-2017

Something like below?

...| eval fieldA = myEvalFunction | search NOT (fieldA=1 AND fieldB=*)

jared_anderson · ‎10-09-2017

So i have email events, where a series of logs have the same Message ID (MID).

So instead of having to run:
sourcetype="email" | transaction MID |

I want to limit the number of entries and only search against MailDirectionField=inbound. Not every event has MailDirectionField, but they do have the MID field. so I want my evaluation to state that if MailDirectionField=inbound then NOT MID associated with that event.

If then statement where the output will exclude a value from search.

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms