Getting Data In

Exclude certain log with specific attribute from a search that has mutiple sources

Abdulm1
Explorer

I am trying creating a report that will run on schedule which combines different sourcetype to run from the datamodel like below.

| datamodel Email All_Email search
| search sourcetype = "ms0365log OR sourcetype = "emaillog" OR sourcetype=exchange2019 OR sourcetype=maillog

In the sourcetype=maillog i want during the search to exclude any maillog event that has final_rule!=scanning from the result. When I run the below command for one sourcetype it works well, but when I add the mutiple source type like above it fails.

Single sourcetype works fine
| datamodel Email All_Email search
| search sourcetype = "maillog" |spath final_rule | search final_rule!=scanning

Multiple sourcetype fails

| datamodel Email All_Email search
| search sourcetype = "ms0365log OR sourcetype = "emaillog" OR sourcetype=exchange2019 OR sourcetype=maillog "|spath final_rule | search final_rule!=scanning"
|
any ideas and I don't mind removing spath

0 Karma

to4kawa
Ultra Champion
| datamodel Email All_Email search
| search "ms0365log" OR "emaillog" OR "exchange2019" OR "maillog"
| spath final_rule 
| search final_rule!=scanning

why don't you search strings?

Abdulm1
Explorer

@to4kawa When i used the search strings you gave above all other sourcetype events are not searched. I guess they are excluded because the other sourcetype do not have final_rule field .

0 Karma

to4kawa
Ultra Champion

Has your goal been achieved? if that is, please accept the answer.

0 Karma

Abdulm1
Explorer

No it has not been achieved as I only want logs from maillog that has the field final_rule=scanning to be excluded from the report , but now what happens is that the other source type entirely are all excluded as well, which is not what I want . I want to exclusion to be specific to one particular sourtcetype.

Thanks.

0 Karma

to4kawa
Ultra Champion

I am not sure the results OK.

 | datamodel Email All_Email search
 | search "ms0365log" OR "emaillog" OR "exchange2019" OR "maillog"

this is OK?

0 Karma

Abdulm1
Explorer

That works fine but the events with this fields "final_rule!=scanning" from maillog is not excluded which is what am trying to achieve. Thanks for your reply

0 Karma

to4kawa
Ultra Champion
 | datamodel Email All_Email search
 | search "ms0365log" OR "emaillog" OR "exchange2019" OR "maillog"
 | search NOT ( "final_rule" AND "scanning") 
 | spath final_rule

How's this?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...