Solved: How can I bypass or ignore a word in a result with...

rasamur · ‎07-21-2017

Hi

Good morning. I have literally searched in several documents on how to do this, but still I haven't really found what I'm looking for (At least I think). So what I'm trying to do is to search in a source="file.csv" a series of words that matches an issue, for this example it is "drive" issues, like "Hard Drive" issues, etc. (The .csv is a compilation of Emails, in which it has column (Fields) identified by "Subject", "Body") but unfortunately that same word may be accompanied by a punctuation sign or a word that it's combination will result in a result I do not need, for example "2120 Drake Drive".

Example of search:
source"file.csv" drive

I have the words I need to discard (for this example it would be Drake). My question is, How can I ask Splunk to search for Drive, but ignore those results that show as Drake Drive without discarding the result (bypass)? To explain the question a bit better, when the results come up it shows that it finds results with that word (Drive), but it is not because it is a Drive issue, it is because it shows that in the signature of the email it shows Drake Drive.

I tried the following:

source"file.csv" drive NOT "drake drive"

But this what it does is discard the result because of the address in the signature, and the email may have a Hard drive issue. I hope I was able to make my point, and explain my question.

Any thoughts on how can I do this?

woodcock · ‎07-22-2017

Like this:

| makeresults 
| eval Body="A bad disk drive will drive anybody on
Drake Drive insane, especially poor Drake"

| rename COMMENT AS "Everything above generates sample data; everything below is your solution"

| rex max_match=100 field=Body "(?msi)(?<drive>drive)"
| eval drive_count=mvcount(drive)
| rex max_match=100 field=Body "(?msi)(?<drake_drive>drake drive)"
| eval drake_drive_count=mvcount(drake_drive)
| eval etc_drive_count=0
| where drive_count > (drake_drive_count + etc_drive_count)

View solution in original post

woodcock · ‎07-22-2017

Like this:

| makeresults 
| eval Body="A bad disk drive will drive anybody on
Drake Drive insane, especially poor Drake"

| rename COMMENT AS "Everything above generates sample data; everything below is your solution"

| rex max_match=100 field=Body "(?msi)(?<drive>drive)"
| eval drive_count=mvcount(drive)
| rex max_match=100 field=Body "(?msi)(?<drake_drive>drake drive)"
| eval drake_drive_count=mvcount(drake_drive)
| eval etc_drive_count=0
| where drive_count > (drake_drive_count + etc_drive_count)

rasamur · ‎07-24-2017

Hi Woodcock

This did the trick, thank you for your effort and time.

Best regards

wpreston · ‎07-21-2017

You'll probably have to use some regex-fu to make this work. Create a field using the rex command and use a negative lookbehind to find "Drake " or "drake " preceding "drive" to discard those matches. Then search for any events with a value in your new field. Something like this:

base search 
| rex "(?i)(?<Valid_Drive>(?<!drake\s)drive)"
| search Valid_Drive=*

gcusello · ‎07-21-2017

Hi rasamur,
sorry but I don't understand your question:
to search for a word you have to insert it in your search and to discard one or more words your have to insert NOT before the word
(if they are more than one use parenthesys and OR: NOT (word1 OR word2))
in other words:

your search Drive NOT Drake | ...

Bye.
Giuseppe

How can I bypass or ignore a word in a result withouth affecting to search for that same word

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor