Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Please help me out to filter or restrict with exact value as mentioned below?

Shan
Builder
‎08-04-2018 11:21 PM

Hi All,

Need your help on finding a solution for below problem..

This is how my data appear in Index.

alt text

I want to filter only data having value like "SPLUNK" or "SPLUNK,HTSV" or "SPLUNK,CHECK" etc from all the following labels (labels,label1,label2,label3,label4). I want to exclude following data "SPLUNK-AUTOCHECK" , "SPLUNK-Mining", "DATA,SPLUNK-TRANSACTION",SPLUNK_TRANSACTION","SPLUNK-AUTO","SPLUNK_AUTO". I want to remove all the value which start with "SPLUNK-************" , "SPLUNK_************"
I was trying to filter using the below query . But I'm unable to achieve it.

index=****  labels="SPLUNK" OR label1="SPLUNK" OR  label2="SPLUNK" OR  label4="SPLUNK"

When i use above query. I'm getting following values "SPLUNK-AUTO","DATA,SPLUNK-TRANSACTION","SPLUNK","SPLUNK,HTSV","SPLUNK-AUTOCHECK" . But i need only values like "SPLUNK".

I can able to achieve it with below mentioned query. But still i want to achieve it without NOT condition.

index=****  labels="SPLUNK" OR label1="SPLUNK" OR  label2="SPLUNK" OR  label4="SPLUNK" NOT "SPLUNK-"

Thanks in advance...

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply

Shan
Builder
‎08-05-2018 09:30 AM

@niketnilay ,

Labels,label1, label2,label3, label4 won't be available in all events. One event may contain atleast one label or may be 2, 3 labels. Max one event can contain minimum 1 labels and maximum 5 labels. I need to fetch data only having value as "SPLUNK". Etc mean there are n number of combination value with "SPLUNK" . I have provided little sample data here ..

0 Karma
Reply

Shan
Builder
‎08-16-2018 02:32 AM

Any update on above query ?

0 Karma
Reply

niketn
Legend
‎08-05-2018 02:52 AM

@shankarananth do your events have labels, label1, label2 and label4 available in each event?

In your question you have mentioned that you need values of "SPLUNK" or "SPLUNK,HTSV" or "SPLUNK,CHECK" etc but in your filter you have just used "SPLUNK". What isetc`? Are there fixed number of combinations or patterns?

In you question you have mentioned filter to be applied on all label fields i.e. labels,label1,label2,label3,label4 but in your query label3 is not present. Is it not required for filtering?

Following is a run anywhere search which generates data as per your question:

| makeresults 
| eval labels="Project,SPLUNK-TRANSACTION", label1="SPLUNK-AUTO", label2="SPLUNK-AUTOCHECK",label3="SPLUNK-AUTOCHECK",label4="SPLUNK-Minig" 
| append 
    [| makeresults 
    | eval labels="SPLUNK-AUTO", label1="SPLUNK", label2="SPLUNK-Mining",label3="SPLUNK-Evaluate",label4="SPLUNK"] 
| append 
    [| makeresults 
    | eval labels="DATA,SPLUNK-TRANSACTION", label1="SPLUNK-AUTO", label2="SPLUNK-TRANSACTION,Fill",label3="SPLUNK",label4="SPLUNK,HTSV"] 
| append 
    [| makeresults 
    | eval labels="SPLUNK,HTSV", label1="SPLUNK,HTSV", label2="SPLUNK,HTSV",label3="SPLUNK,Search",label4="SPLUNK,Data mining"] 
| append 
    [| makeresults 
    | eval labels="KT,SPLUNK-HTSV", label1="SPLUNK_TRANSACTION", label2="SPLUNK",label3="SPLUNK",label4="SPLUNK,Super Store"] 
| append 
    [| makeresults 
    | eval labels="KT,SPLUNK-HTSV,htsv", label1="SPLUNK,CHECK", label2="SPLUNK,CHECK",label3="SPLUNK,CHECK",label4="SPLUNK"] 
| append 
    [| makeresults 
    | eval labels="SPLUNK", label2="SPLUNK,HTSV",label3="SPLUNK,CHECK",label4="SPLUNK_AUTO"] 
    | table labels label*

Based on your question and sample data following check will give all rows that are present in your data i.e. with filter "SPLUNK","SPLUNK,HTSV","SPLUNK,CHECK" applied on labels, label1, label2 and label4 fields:

| search labels IN ( "SPLUNK","SPLUNK,HTSV","SPLUNK,CHECK" ) OR label1 IN ( "SPLUNK","SPLUNK,HTSV","SPLUNK,CHECK" ) OR label2 IN ( "SPLUNK","SPLUNK,HTSV","SPLUNK,CHECK" ) OR label4 IN ( "SPLUNK","SPLUNK,HTSV","SPLUNK,CHECK" )

Following is a query similar to your question with only SPLUNK filter applied on labels, label1, label2 and label4 fields:

 | search labels="SPLUNK" OR label1="SPLUNK" OR label2="SPLUNK" OR label4="SPLUNK"

It returns 4 of the 7 rows provided in your data. Which are the rows you think are listed incorrectly? Do you need some specific columns to be removed instead?

Please add more clarification.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

Shan
Builder
‎08-05-2018 09:31 AM

@niketnilay ,

Labels,label1, label2,label3, label4 won't be available in all events. One event may contain atleast one label or may be 2, 3 labels. Max one event can contain minimum 1 labels and maximum 5 labels. I need to fetch data only having value as "SPLUNK". Etc mean there are n number of combination value with "SPLUNK" . I have provided little sample data here ..

0 Karma
Reply

Shan
Builder
‎08-06-2018 04:59 AM

@niketnilay ,

If you have some update. Please let me know ..

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...