Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

If an event with "removed" appears, how to exclude all other events with the same ID from search results?

spsdoit
New Member
‎01-19-2015 05:12 AM

The events look like this: 

DATE=2015-01-19;TIME=10:34:20;STATUS=INFO;ID=57689;JOB=;ACTION=updateCounter;REASON=NotDigital

DATE=2015-01-19;TIME=10:34:20;STATUS=INFO;ID=30689;JOB=;ACTION=updateCounter;REASON=NotDigital

DATE=2015-01-19;TIME=10:34:20;STATUS=INFO;ID=57689;JOB=;ACTION=updateCounter;REASON=Digital

DATE=2015-01-19;TIME=10:34:20;STATUS=INFO;ID=30689;JOB=;ACTION=updateCounter;REASON=Digital

I do group them in a transaction (transaction ID, REASON).
It does happen that the ORDER gets deleted by the application owner. Then I do have the following event: 

DATE=2015-01-09;TIME=14:04:30;STATUS=INFO; JOB=HousekeepingTask;ACTION=deleteFromFileSystem;REASON=Order 30689 removed from file system by user example

search looks like

search Index=applicationX sourcetype=application | transaction ID, REASON maxspan=350000s | chart stuff ...

I know I could remove them from the results with NOT ID=XXXYYY, but I need to remove them as soon the orders are removed by the Application.

Thank you very much for any suggestion.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-19-2015 06:38 AM

Perhaps something like this?

search index=applicationX sourcetype=application | transaction ID maxspan=350000s | where NOT like(REASON,"% removed %") | chart stuff ...

I removed REASON from the transaction command so all events with the same ID will be in the same transaction. Then the where command should eliminate transactions with "remove" in the REASON field.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-19-2015 06:38 AM

Perhaps something like this?

search index=applicationX sourcetype=application | transaction ID maxspan=350000s | where NOT like(REASON,"% removed %") | chart stuff ...

I removed REASON from the transaction command so all events with the same ID will be in the same transaction. Then the where command should eliminate transactions with "remove" in the REASON field.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

spsdoit
New Member
‎01-22-2015 04:44 AM

Well yes, indeed this will work, need to add a transaction with REASON at the end.:

search index=applicationX sourcetype=application | transaction ID maxspan=350000s | where NOT like(REASON,"% removed %") | transaction REASON | chart stuff ...

It can happen that I do have have smth like 250000 event's, this will may slow the report down. I will give it a tray to accelerate the search.
Otherwise, I will summarize, then create the report on the summary index.
Thank you richgalloway.

0 Karma
Reply
Solved! Jump to solution

spsdoit
New Member
‎01-19-2015 06:47 AM

Thank you. This won't work because you example removes only the event (or transaction) with removed in it.
As you can see, the REASON field has different value. I tried that.
The search needs to somehow get the ID from in the remove-event in a variable and then NOT ID like...
Sorry if my explanation is misleading.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-19-2015 08:30 AM

According to the manual, the where command should remove the entire transaction.
The key is making sure all events with the same ID are the same transaction. That is why I use only the ID field in the transaction command.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...