Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get difference of events between main search and a extracted search

nirmalya2006
Path Finder
‎09-07-2016 04:49 AM

Hi Ninjas

I have a search which returns 1500 events. From that search I have extracted a field (eg FieldX) using a regex which matches with 900 events. From the remaining 600 events, I found that I can extract another field (FieldY) which is same as FieldX and matching another 200 events, but it needs a slight change in the regex. Problem is regex for FieldX is not extracting values for FieldY and vice versa, though, they are the same fields that I need for the 900 + 200 = 1100 events.
So I wrote two separate regex and 2 separate search queries to fetch 1100 events and then do a append to put the all in outputlookup.
Till this, everything is fine.
Now, I want to view the remaining 1500-1100=400 events and see if I can extract any other fields that might be similar to FieldX and FieldY that doesnot satisfy the regex for FieldX and FieldY.
Basically, I want to do something like ((the events returned by main search) minus (events returned by search of FieldX + FieldY))

Is this possible to do?
Can you please suggest how I can do it?

Main Search :

index=idx1 sourcetype=src1 "GET /ajaxClient.aspx"

FieldX Search

index=idx1 sourcetype=src1 "GET /ajaxClient.aspx" 
| table responseTime_1

Regex for FieldX - responseTime_1

(?=[^G]*(?:GET /ajaxClient.aspx|G.*GET /ajaxClient.aspx))^(?:[^=\n]*=){5}\w+\s+\d+\s+\d+\s+\d+\s+(?P<responseTime_1>.+)

FieldY Search

index=idx1 sourcetype=src1 "GET /ajaxClient.aspx"  "&workser="
| table responseTime_2

Regex for FieldY - responseTime_2

(?=[^G]*(?:GET /ajaxClient.aspx|G.*GET /ajaxClient.aspx))^(?:[^\-\n]*\-){7}[a-f0-9]+\s+\d+\s+\d+\s+\d+\s+(?P<responseTime_2>.+)

Thanks

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎09-07-2016 04:58 AM

Try this

index=idx1 sourcetype=src1 "GET /ajaxClient.aspx" | rex "(?=[^G]*(?:GET /ajaxClient.aspx|G.*GET /ajaxClient.aspx))^(?:[^=\n]*=){5}\w+\s+\d+\s+\d+\s+\d+\s+(?P<responseTime_1>.+)" | rex "(?=[^G]*(?:GET /ajaxClient.aspx|G.*GET /ajaxClient.aspx))^(?:[^\-\n]*\-){7}[a-f0-9]+\s+\d+\s+\d+\s+\d+\s+(?P<responseTime_2>.+)" | where isnull(responseTime_1) AND isnull(responseTime_2)

*OR*

index=idx1 sourcetype=src1 "GET /ajaxClient.aspx" | rex "(?=[^G]*(?:GET /ajaxClient.aspx|G.*GET /ajaxClient.aspx))^(?:[^=\n]*=){5}\w+\s+\d+\s+\d+\s+\d+\s+(?P<responseTime_1>.+)" | rex "(?=[^G]*(?:GET /ajaxClient.aspx|G.*GET /ajaxClient.aspx))^(?:[^\-\n]*\-){7}[a-f0-9]+\s+\d+\s+\d+\s+\d+\s+(?P<responseTime_2>.+)" | eval resp_time=coalesce(responseTime_1,  responseTime_2) | where isnull(resp_time)

OR if possible, share your raw events, and someone may be able to comeup with a regex that matches both conditions.

View solution in original post

Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎09-07-2016 04:58 AM

Try this

index=idx1 sourcetype=src1 "GET /ajaxClient.aspx" | rex "(?=[^G]*(?:GET /ajaxClient.aspx|G.*GET /ajaxClient.aspx))^(?:[^=\n]*=){5}\w+\s+\d+\s+\d+\s+\d+\s+(?P<responseTime_1>.+)" | rex "(?=[^G]*(?:GET /ajaxClient.aspx|G.*GET /ajaxClient.aspx))^(?:[^\-\n]*\-){7}[a-f0-9]+\s+\d+\s+\d+\s+\d+\s+(?P<responseTime_2>.+)" | where isnull(responseTime_1) AND isnull(responseTime_2)

*OR*

index=idx1 sourcetype=src1 "GET /ajaxClient.aspx" | rex "(?=[^G]*(?:GET /ajaxClient.aspx|G.*GET /ajaxClient.aspx))^(?:[^=\n]*=){5}\w+\s+\d+\s+\d+\s+\d+\s+(?P<responseTime_1>.+)" | rex "(?=[^G]*(?:GET /ajaxClient.aspx|G.*GET /ajaxClient.aspx))^(?:[^\-\n]*\-){7}[a-f0-9]+\s+\d+\s+\d+\s+\d+\s+(?P<responseTime_2>.+)" | eval resp_time=coalesce(responseTime_1,  responseTime_2) | where isnull(resp_time)

OR if possible, share your raw events, and someone may be able to comeup with a regex that matches both conditions.

Reply
Solved! Jump to solution

nirmalya2006
Path Finder
‎09-07-2016 08:30 AM

Thank you very much @sundareshr
Though this did not answer my query it helped me figure out a query that gave me the non matching events.

index=index sourcetype=source "GET /ajaxClient.aspx"
| fillnull responseTime_1 value=null
| fillnull responseTime_2 value=null
| search responseTime_1 = null AND responseTime_2 = null

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...