Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to eliminate results from a search?

apalen
Path Finder
‎05-15-2014 08:23 AM

I am searching my new weblogs and it is filled with data like:
db.ConnectionProvider (ConnectionProvider.java: 202) - got conn: jdbc:postgresql://prod-db.mpaygateway.com:34573/mpay, user=null, active/max: 1/12, idle/max: 4/5

I would like to try to eliminate information like this from a general search.
my current search string is:
host="pesweb01" OR host="pesweb02" OR host="pesweb03"
I have tried using uniq and rare, but i feel my lack of understanding is probably the problem.

I have been tasked with maintaining splunk and creating dashboards. I am sifting through our logs to find valuable data.

Any assistance or direction would be greatly appreciated!
Thanks in advance!

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎05-15-2014 08:49 AM

The real question here is - what output do you want? A subset of events and/or a subset of the fields from the events? Do you want a table that shows the number of times something happened?

For example, you could get a list of the top user Ids:

host=pesweb* | top user

Try using the field bar on the left of the search screen. Poke around with that and see if it gives you any useful reports.
Take the Search Tutorial (especially the section on Searching) if you are unfamiliar with search basics.

And be sure to give details of your data and desired results when you post questions! We love to give specific answers.

View solution in original post

Reply
Solved! Jump to solution

apalen
Path Finder
‎05-15-2014 09:11 AM

THANKS! Between this response and lguinn ♦ response i was able to figure out what i needed to do. Thanks for the assistance splunk community. Keep being awesome!!

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎05-15-2014 09:06 AM

If you can identify the unique feature of the events you want to exclude (like user=null or any other field value/combination of field value), that you can include a NOT clause in the base search to exclude them. Also if same filter has to be applied at multiple places, good idea will be to create an EventType for the same and use that as a filter.

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎05-15-2014 08:49 AM

The real question here is - what output do you want? A subset of events and/or a subset of the fields from the events? Do you want a table that shows the number of times something happened?

For example, you could get a list of the top user Ids:

host=pesweb* | top user

Try using the field bar on the left of the search screen. Poke around with that and see if it gives you any useful reports.
Take the Search Tutorial (especially the section on Searching) if you are unfamiliar with search basics.

And be sure to give details of your data and desired results when you post questions! We love to give specific answers.

Reply
Solved! Jump to solution

rsennett_splunk
Splunk Employee
Splunk Employee
‎05-15-2014 09:14 AM

lguinn makes a good point. It does sound like a bit more familiarity with the Splunk platform will make things easier for you.

Run your host filter in verbose mode over a full day's log data and let Splunk find as many fields as it can. Then LGuinn's suggestion of using the left hand sidebar of fields you can see what is in these fields. Also you can look at "ALL FIELD" and see the percentage of times each one appears in the data.

That data you're trying to "Eliminate" is useful to someone... it's in the log after all.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
Reply
Solved! Jump to solution

apalen
Path Finder
‎05-15-2014 08:36 AM

My apologies, i tried using uniq and rare to get less results of my over all search, but that method didn't pan out. My end game is to remove that specific information from all searches as it provides no value. I am still very new and learning the commands has been cumbersome.

Thanks in advance!

0 Karma
Reply
Solved! Jump to solution

rsennett_splunk
Splunk Employee
Splunk Employee
‎05-15-2014 08:30 AM

It's unclear as to whether you want to hide events containing that data from the general user community, or whether you want to just eliminate them from YOUR search.
The best way to NOT see something is to identify it with a field extraction and then use NOT or != within the first pipe. You can create an event type that shows you everything except those events that contain that value also.

However your mention of "unique" and "rare" makes your actual question unclear. Can you tell us what the "end game" is and show some of the events?

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...