I have splunk logs that are of 2 types, successes and failures. They contain 2 things:
"SUCCESS" "ID: <IDNumber>"
"FAILURE" "ID: <IDNumber>"
My goal is to find IDs that are identified with failures that are not also identified with a success. So for the data:
"SUCCESS" "ID: 0000", "FAILURE" "ID: 0000", "SUCCESS" "ID: 1111", "FAILURE" "ID: 2222", "SUCCESS" "ID: 3333", "FAILURE" "ID: 4444"
the result would be the IDs 2222 and 4444
My current search is:
index=sampleindex source=samplesource "SUCCESS" | rex field=_raw "ID: (?<id1>+)" | join [search index=sampleindex source=samplesource "FAILURE" | rex field=_raw "ID: (?<id2>+)"] | table id1, id2
I am able to perform each of these searches separately and output the ids, but when I combine them I cannot get the results of either id1 or id2, so I am not able to compare them
Does anyone know how I can structure my search to achieve my final goal?
... View more