Hello splunk users,
So I have a system that I am logging all errors to splunk. I have been getting a few false positives in my alert I setup.
I have found the error in the message field and have updated my search to Include " NOT = 'ERROR1' NOT = 'ERROR2'.
I have created a KNOWN_ERROR.CSV that looks like this:
KNOWN_ERROR
ERROR1
ERROR2
Here is my current search that works:
index=* host=HOSTNAME* source="WinEventLog:Application" Type=Error (SourceName=APP_NAME*) NOT 'ERROR1' NOT "ERROR2"
| eval src=SourceName
| table Message
*The message field is the Windows Application Event Message sent from the application that includes the phrase ERROR 1 or ERROR 2.
I have gotten some luck with this:
index=* host=HOSTNAME* source="WinEventLog:Application" Type=Error (SourceName=APP_NAME*) NOT [|inputlookup Known_Error.csv]
When I inspect the job I find that the search is kinda working:
Normalized Search:
litsearch (index=* ((sourcetype="ms:iis:auto" s_computername="HOSTNAME*") OR (sourcetype="ms:iis:default" s_computername="HOSTNAME*") OR host="HOSTNAME*") source="WinEventLog:Application" Type=Error SourceName=APP_NAME* NOT Known_Error="ERROR1" NOT Known_Error="ERROR2") | litsearch (index=* host=HOSTNAME* source="WinEventLog:Application" Type=Error SourceName=APP_NAME* NOT Known_Error="ERROR1" NOT Known_Error="ERROR2") | eval src=SourceName
The issue looks like NOT includes Known_Error as the header of my CSV but I want that to be searching the Error in the Message Field.
Hope you guys can help.
Try this:
index=* host=HOSTNAME* source="WinEventLog:Application" Type=Error (SourceName=APP_NAME*) NOT [ |inputlookup | table KNOWN_ERROR | format "" "" "" "" "OR" "" | rex field=search mode=sed "s/KNOWN_ERROR=//g" ]
That is the default behavior of the subsearch (returning the key-value pair based on the fields available in subsearch). This can be overridden by using special field name in subsearch, which is search
and query
. Try something like this
index= host=HOSTNAME source="WinEventLog:Application" Type=Error (SourceName=APP_NAME*) NOT [|inputlookup Known_Error.csv | table KNOWN_ERROR | rename KNOWN_ERROR as search ]