Splunk Search

filter by only failed events which never passed

vishwasgopala
Engager
INFO [] () process='isValid', result='failed', dacNumber='[DAC_111_646]',  accountNumber=1122333
INFO [] () process='isValid', result='failed', dacNumber='[DAC_111_777]',  accountNumber=1122333
INFO [] () process='isValid', result='failed', dacNumber='[DAC_111_888]',  accountNumber=1122333
 INFO [] () process='isValid', result='success', dacNumber='[DAC_111_777]',  accountNumber=1122333
 INFO [] () process='isValid', result='success', dacNumber='[DAC_111_999]',  accountNumber=1122333
 INFO [] () process='isValid', result='success', dacNumber='[DAC_111_646]',  accountNumber=1122333

 

How to get all failed dacNumber which never passed.  In the above example it should give me DAC_111_777. Please help.

 

Labels (2)
Tags (3)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Select the most recent event for each dacNumber then discard the successful ones.  The remainder will be failures.  In SPL:

... | dedup dacNumber
| where result = failed
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

ashvinpandey
Contributor

@vishwasgopala Try adding the below query after you index=<<anything>>

| rex field=_raw "result\=\'(?P<result>\w+).*dacNumber\=\'\[(?P<dacNumber>.*?)\]"
| search result="failed"
| dedup dacNumber
| table dacNumber result

Also if this reply helped you in solving your problem an up-vote would be appreciated.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Select the most recent event for each dacNumber then discard the successful ones.  The remainder will be failures.  In SPL:

... | dedup dacNumber
| where result = failed
---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...