Hi Splunkers,
I'm pretty new to Splunk and trying to exclude events based on previous results.
Here is an example of my main search results:
1. 9/16/19 2:05AM **id1**=1111 **id2**=aaaa **error** = -1
2. 9/16/19 2:00AM **id1**=2222 **id2**=xxxx **error** = -1
3. 9/16/19 1:50AM **id1**=1111 **id2**=xxxx **error** = 0
4. 9/16/19 1:48AM **id1**=1111 **id2**=xxxx **error** = 100
5. 9/16/19 1:45AM **id1**=1111 **id2**=aaaa **error** = 0
6. 9/16/19 1:30AM **id1**=1111 **id2**=xxxx **error** = 0
7. 9/16/19 1:05AM **id1**=2222 **id2**=bbbb **error** = -1
8. 9/16/19 1:00AM **id1**=2222 **id2**=bbbb **error** = 0
The events I wish to exclude are the ones that has **error = -1** and in the **last 30 min** there is **error = 0** for the **same id1 and id2**.
For the example above, event 1 should be excluded because of event 4 and event 6 should be excluded because of event 7.
And the result list I wish to have is:
1. 9/16/19 2:00AM id1=2222 id2=xxxx error = -1
2. 9/16/19 1:50AM id1=1111 id2=xxxx error = 0
3. 9/16/19 1:48AM id1=1111 id2=xxxx error = 100
4. 9/16/19 1:45AM id1=1111 id2=aaaa error = 0
5. 9/16/19 1:30AM id1=1111 id2=xxxx error = 0
6. 9/16/19 1:00AM id1=2222 id2=bbbb error = 0
Not sure what is the best approach here.
Thanks for the helpers
David
↧