How to find a log entry that doesn't have a match ...

mortya · ‎03-11-2019

So, I get a bunch of log entries that look something like this (grossly simplified) example:

host1 tag - foo
host1 tag + foo
host1 tag - bar
host1 tag - something
host1 tag + something
host1 tag - evil
host1 tag + blarg
host2 tag - zoinks

I want to find the log entries that have a "- $thing" without a corresponding "+ $thing" in a 24-hour period. So for the above, I want to see "bar evil zoinks".

I can easily write a search to find the "-" entries. But when I try to exclude the ones with a corresponding "+" entry, it gets hairy. The original query already takes a while to run, and I can have thousands of matches. The obvious approach would seem to be a subsearch. But a subsearch seems like it's asking for an N-squared performance. Is there some better way to do this? I would intuitively expect that maybe a join or a selfjoin would help, but I can't figure it out. I'll keep working on this in the meantime.

Thanks!

mayurr98 · ‎03-11-2019

I don't know if this will work or not but you can give it a try.

<fields with dash and name seperated>| table dash name 
| streamstats values(dash) as d by name |stats values(d) as d by name | where NOT d="+"

Also try this :

<field with dash and name seperated> | table dash name |  transaction name startswith=dash="+" endswith=dash="-" maxevents=2 keepevicted=t | where linecount=1 AND dash="-" AND field_match_sum=1 | table name

How to find a log entry that doesn't have a match with another one?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life