Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Nested Search Question

mmccaugh9472
Observer
‎11-09-2020 10:01 AM

OK I have been reading most of the morning and I have to just be missing something very simple.

To explain what I am trying to do.

1. Lets take the simple query index=* host=*test*|dedup host|table host

This will obviously give me a unique list of hosts.

2. Second Query index=* host=*test* "Bleebles"|dedup host|table host

This query will give me a unique list of hosts where the string "Bleebles" was found. (Obviously this is just example data)

What I am trying (And failing) at is marrying these two queries up, and returning ONLY hostnames that DO NOT return records with the string "Bleebles" but of course issue #1 is when I invert the logic on search #2 I get EVERY record that has been splunked and doesn't match (Which is literally all the data) 

Can anyone help with the logic I am missing here, using the two very basic queries above how would I first generate the full host list (That's the easy part) but then print a deduped list of hostnames that did NOT return a result in query #2, thereby giving me an exceptions list?

 

 

Labels (1)
Labels
0 Karma
Reply

somesoni2
Revered Legend
‎11-09-2020 12:33 PM

Try something like this:

 

index=* host=*test* | eval hasString=if(match(_raw,"Bleebles"),1,0) | stats max(hasString) as hasString by host | where hasString=0 |table host
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-09-2020 11:21 AM 
index=* host=*test* | where not match(_raw,"Bleebles")|dedup host|table host
0 Karma
Reply

mmccaugh9472
Observer
‎11-09-2020 12:12 PM

This one still gives me the entire list (Not just the exceptions) but what I wrote does work, I just need to figure out why it takes so long to run and what I can do to improve it.

But at least it is accurate which is a start! 

0 Karma
Reply

mmccaugh9472
Observer
‎11-09-2020 10:28 AM

OK I think I may have finally figured this out, posting what I did in case anyone else comes across this down the line.

 

index=* host=*test* | join type=outer host [ search index=* host=*test* "Bleebles" | stats count by host ] | where isnull(count) | dedup host | table host | sort by host

This appears to be working so far!

 

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...