Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

If an event with "removed" appears, how to exclude all other events with the same ID from search results?

spsdoit
New Member
‎01-19-2015 05:12 AM

The events look like this: 

DATE=2015-01-19;TIME=10:34:20;STATUS=INFO;ID=57689;JOB=;ACTION=updateCounter;REASON=NotDigital

DATE=2015-01-19;TIME=10:34:20;STATUS=INFO;ID=30689;JOB=;ACTION=updateCounter;REASON=NotDigital

DATE=2015-01-19;TIME=10:34:20;STATUS=INFO;ID=57689;JOB=;ACTION=updateCounter;REASON=Digital

DATE=2015-01-19;TIME=10:34:20;STATUS=INFO;ID=30689;JOB=;ACTION=updateCounter;REASON=Digital

I do group them in a transaction (transaction ID, REASON).
It does happen that the ORDER gets deleted by the application owner. Then I do have the following event: 

DATE=2015-01-09;TIME=14:04:30;STATUS=INFO; JOB=HousekeepingTask;ACTION=deleteFromFileSystem;REASON=Order 30689 removed from file system by user example

search looks like

search Index=applicationX sourcetype=application | transaction ID, REASON maxspan=350000s | chart stuff ...

I know I could remove them from the results with NOT ID=XXXYYY, but I need to remove them as soon the orders are removed by the Application.

Thank you very much for any suggestion.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-19-2015 06:38 AM

Perhaps something like this?

search index=applicationX sourcetype=application | transaction ID maxspan=350000s | where NOT like(REASON,"% removed %") | chart stuff ...

I removed REASON from the transaction command so all events with the same ID will be in the same transaction. Then the where command should eliminate transactions with "remove" in the REASON field.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-19-2015 06:38 AM

Perhaps something like this?

search index=applicationX sourcetype=application | transaction ID maxspan=350000s | where NOT like(REASON,"% removed %") | chart stuff ...

I removed REASON from the transaction command so all events with the same ID will be in the same transaction. Then the where command should eliminate transactions with "remove" in the REASON field.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

spsdoit
New Member
‎01-22-2015 04:44 AM

Well yes, indeed this will work, need to add a transaction with REASON at the end.:

search index=applicationX sourcetype=application | transaction ID maxspan=350000s | where NOT like(REASON,"% removed %") | transaction REASON | chart stuff ...

It can happen that I do have have smth like 250000 event's, this will may slow the report down. I will give it a tray to accelerate the search.
Otherwise, I will summarize, then create the report on the summary index.
Thank you richgalloway.

0 Karma
Reply
Solved! Jump to solution

spsdoit
New Member
‎01-19-2015 06:47 AM

Thank you. This won't work because you example removes only the event (or transaction) with removed in it.
As you can see, the REASON field has different value. I tried that.
The search needs to somehow get the ID from in the remove-event in a variable and then NOT ID like...
Sorry if my explanation is misleading.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-19-2015 08:30 AM

According to the manual, the where command should remove the entire transaction.
The key is making sure all events with the same ID are the same transaction. That is why I use only the ID field in the transaction command.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...