Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how to build a search excluding the result of another line

yohan_ch
New Member
‎12-09-2018 02:25 PM

let say here is my log:
id 123456789 appear here
id 123456789 something bad want to exclude
id 111111111 appear here

how to build a search so that it will only pickup id with "appear here" but not "something bad want to exclude"? in this case the desired result is the 111111111

Tags (1)
0 Karma
Reply

whrg
Motivator
‎12-10-2018 01:18 AM

I presume you have the "id" field available for searching. If not, create a field extraction for it.

Use a subsearch to exclude specific events from a base search:

index=... NOT [search index=... "something bad want to exclude" | table id]
0 Karma
Reply

amiftah_splunk
Splunk Employee
Splunk Employee
‎12-09-2018 06:53 PM

Following your example, the result should look like:
123456789
111111111
Because both events have appear here.

If the "appear here" pattern doesn't change you can add it to your search, E.g.:
index=test "appear here" | rex "id\s+(?<id>[0-9]{9})" |table id

Otherwise, you can exclude what you don't want:
index=test NOT "something bad want to exclude" | rex "id\s+(?<id>[0-9]{9})" |table id

Hope it helps.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...