I want to make a splunk search where i exclude all the event whose transid corelate with transid of an event that contain the string "[error]".
here is my current search
*base-search*
| eval rm_id=if(like(_raw, "%[error]%") , 0, transid)
i have to exclude all the values in the "rm_id" field from my search
AIUI, if there is an event containing the string "error" then all events with the same transid value are to be discarded, correct?
If so, then you can use the transaction command. The command groups events with common field values into single events, which then can be filtered. The transaction command can be slow and memory-intensive.
*base-search*
| transaction transid
| search NOT "error"
Another method uses subsearches to identify transids that have "error" in them so the main search can avoid those transids. Subsearches have a limit of 50,000 results.
*base-search* NOT [ search *base-search* "error" | fields transid | format ]