Hi Splunkers,
I'm pretty new to Splunk and trying to exclude events based on previous results.
Here is an example of my main search results:
9/16/19 2:05AM id1=1111 id2=aaaa error = -1
9/16/19 2:00AM id1=2222 id2=xxxx error = -1
9/16/19 1:50AM id1=1111 id2=xxxx error = 0
9/16/19 1:48AM id1=1111 id2=xxxx error = 100
9/16/19 1:45AM id1=1111 id2=aaaa error = 0
9/16/19 1:30AM id1=1111 id2=xxxx error = 0
9/16/19 1:05AM id1=2222 id2=bbbb error = -1
9/16/19 1:00AM id1=2222 id2=bbbb error = 0
The events I wish to exclude are the ones that has error = -1 and in the last 30 min there is error = 0 for the same id1 and id2.
For the example above, event 1 should be excluded because of event 5 and event 7 should be excluded because of event 8.
And the result list I wish to have is:
1. 9/16/19 2:00AM id1=2222 id2=xxxx error = -1
2. 9/16/19 1:50AM id1=1111 id2=xxxx error = 0
3. 9/16/19 1:48AM id1=1111 id2=xxxx error = 100
4. 9/16/19 1:45AM id1=1111 id2=aaaa error = 0
5. 9/16/19 1:30AM id1=1111 id2=xxxx error = 0
6. 9/16/19 1:00AM id1=2222 id2=bbbb error = 0
Not sure what is the best approach here.
Thanks for the helpers
David
... View more