cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
ShubhamWanne
Explorer
Member since: ‎12-21-2022
‎01-12-2023
Community Statistics
Posts 3
Solutions 0
Karma Given 2
Karma Received 0
Member Since ‎12-21-2022
Activity Feed
View All

Re: Splunk Query

by in Splunk Enterprise
‎12-21-2022 06:28 PM
‎12-21-2022 06:28 PM
IN-PROGRESS events are random and can have duplicate events name, they don't follow any kind of order as such. Thank you. ... View more

Re: Splunk Query

by in Splunk Enterprise
‎12-21-2022 07:58 AM
‎12-21-2022 07:58 AM
I appreciate the quick reponse @richgalloway  but this query fails in scenario where: COMPLETED (C) Event1, Event2, Event3 and IN-PROGRESS (I-P) Event1, Event2, Event2, Event2 Then index=abc (message="*IN-PROGRESS*" OR message="*COMPLETED*") | eval splitStr=split(message, ",") | eval eventName=mvindex(splitStr,1)  This query will list Event1(C), Event1(I-P), Event2(I-P),Event2(I-P),Event2(I-P),Event2(C),Event3(C) and   | dedup eventName will return  Event1(C), Event2(I-P),Event3(C) and | where NOT match(message, "COMPLETED") will return  Event2 Ideally, result should be 0. Thank you. ... View more

How to write a search to implement NOT IN function...

by in Splunk Enterprise
‎12-21-2022 06:08 AM
‎12-21-2022 06:08 AM
I am new to splunk and working on a complex query where; I am supposed to implement NOT IN functionality in SQL along with eval I want to skip all the IN-PROGRESS events who later went into COMPLETED state, and display all the events which are still in IN-PROGRESS state. For example COMPLETED events: event1 event5 event4 event7 IN-PROGRESS events: event3 event1 event4 Expected result event3 Given below are the queries to fetch COMPLETED and IN-PROGRESS events: index=abc message="*COMPLETED*" | eval splitStr=split(message, ",") | eval eventName=mvindex(splitStr,1) | table eventName index=abc message="*IN-PROGRESS*" | eval splitStr=split(message, ",") | eval eventName=mvindex(splitStr,1) | table eventName Thank you in advance. ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎01-12-2023 02:52 AM
Karma given to
View All