CODEWITHSUNDEEP
splunksplunk-query
SuperCow
SuperCow

Reputation: 1613

Checking Splunk logs for one string but not others

In Splunk I want to search for any exceptions EXCEPT concurrent timeout exceptions. Concurrent timeout exceptions appear in the logs as either "java.util.concurrent.TimeoutException" OR "concurrent timeout exception". If I perform a query like:

("*exception*" AND (NOT "java.util.concurrent.TimeoutException"))

Splunk will find all of the exceptions (including those that contain "concurrent timeout exception", which is expected) that do not contain "java.util.concurrent.TimeoutException". However, I can't figure out how to eliminate both "java.util.concurrent.TimeoutException" and "concurrent timeout exception". When I try it seems to eliminate all exceptions, not just those containing the two aforementioned Strings.

I've tried stuff like:

("*exception*" AND NOT ("java.util.concurrent.TimeoutException" OR "concurrent timeout exception"))

Thinking it would find all exceptions but not the two undesired Strings. If either of them evaluated to true then the statement would be true, so we'd find all exceptions where !the statement was true.

Didn't work. I tried other various combinations just playing around with it to no avail:

("exception" AND (NOT "java.util.concurrent.TimeoutException" OR NOT "concurrent timeout exception"))

Can anyone point me in the right direction here or mention what I'm doing wrong? Thanks.

Upvotes: 3

Views: 3844

Answers (1)

freginold
freginold

Reputation: 3956

@JerryJeremiah's suggestion should work. Written out as your query is formatted, it would look like this:

("*exception*" AND (NOT "java.util.concurrent.TimeoutException") AND (NOT "concurrent timeout exception"))

Or, for readability:

("*exception*" AND
    (NOT "java.util.concurrent.TimeoutException") AND
    (NOT "concurrent timeout exception")
)

Upvotes: 2

Related Questions