Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to search for results that are in result A, but not result B?

tdewitt_atl_rea
New Member
‎07-06-2016 07:59 PM

I have 2 logs: an error log and a success log. When an item fails (error log), it is retried. I would like to filter out the items that succeed on retry and only display items that are still failing - In other words, items that only appear in the error log.

Sample search:

index=fail_log "Processing failed" | dedup event_id | transaction event_id | rex "\"itemId\":(?P<itemIdInt>\d+)" | fields itemIdInt | search NOT [search index=success_log Order processed successfully | eval itemIdInt=substr(itemId, 4) | fields itemIdInt ] | stats count

The reason for the substring is that in the success log, the items show up as ID- and in the fail log, they are just , so we need to just pull out the actual digits.

This seems to work for most things. We have 20,000+ successes and on the order of 10-20 failures. However, only 1 or 2 of those failures have not been successful, and a simple search of: 

index=success_log Order processed successfully | eval itemIdInt=substr(itemId, 4) | fields itemIdInt | search itemIdInt=<itemId_from_fail_log>

will return results, indicating that itemId has succeeded on rerun.

Is there a more formal way of removing items from result A (failures) that appear in result B (successes)

0 Karma
Reply

sundareshr
Legend
‎07-07-2016 06:50 AM

Not sure you need the transaction command. Try this

index=fail_log "Processing failed" | dedup event_id | rex "\"itemId\":(?P<itemIdInt>\d+)" | fields itemIdInt | search NOT [search index=success_log Order processed successfully | eval itemIdInt=substr(itemId, 4) | fields itemIdInt ] | stats count
0 Karma
Reply

tdewitt_atl_rea
New Member
‎07-07-2016 07:45 PM

That didn't seem to affect the results. Just curious, why would removing the transaction command potentially work?

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎07-07-2016 06:21 AM

Would it be just as useful to only include items whose final state is "failed?" E.g. the last time they ran they were in state failed?

0 Karma
Reply

tdewitt_atl_rea
New Member
‎07-07-2016 07:41 PM

How would I go about that, Rich? It sounds like it could work!

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...