https://community.splunk.com/t5/Getting-Data-In/How-to-ignore-internal-indexes-when-searching/m-p/211851#M41707 <P>Hello,</P> <P>| rest /services/data/indexes-extended | eval bd_home_event_min_time=strftime('bucket_dirs.home.event_min_time',"%d/%m/%Y") | eval bd_home_event_max_time=strftime('bucket_dirs.home.event_max_time',"%d/%m/%Y") | eval bd_cold_event_min_time=strftime('bucket_dirs.cold.event_min_time',"%d/%m/%Y") | eval bd_cold_event_max_time=strftime('bucket_dirs.cold.event_max_time',"%d/%m/%Y") | table title,bd_home_event_min_time,bd_home_event_max_time,bd_cold_event_min_time,bd_cold_event_max_time,splunk_server | sort title <STRONG>| where not like(title,"_%")</STRONG></P> <P>returns empty result.</P> <P>However the where clause works if I don't use underscore.</P> <P>My aim is to ignore internal indexes.</P> <P>Thanks for your help.</P> Tue, 29 Sep 2020 11:08:36 GMT splunkreal 2020-09-29T11:08:36Z https://community.splunk.com/t5/Getting-Data-In/How-to-ignore-internal-indexes-when-searching/m-p/211851#M41707 <P>Hello,</P> <P>| rest /services/data/indexes-extended | eval bd_home_event_min_time=strftime('bucket_dirs.home.event_min_time',"%d/%m/%Y") | eval bd_home_event_max_time=strftime('bucket_dirs.home.event_max_time',"%d/%m/%Y") | eval bd_cold_event_min_time=strftime('bucket_dirs.cold.event_min_time',"%d/%m/%Y") | eval bd_cold_event_max_time=strftime('bucket_dirs.cold.event_max_time',"%d/%m/%Y") | table title,bd_home_event_min_time,bd_home_event_max_time,bd_cold_event_min_time,bd_cold_event_max_time,splunk_server | sort title <STRONG>| where not like(title,"_%")</STRONG></P> <P>returns empty result.</P> <P>However the where clause works if I don't use underscore.</P> <P>My aim is to ignore internal indexes.</P> <P>Thanks for your help.</P> Tue, 29 Sep 2020 11:08:36 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-ignore-internal-indexes-when-searching/m-p/211851#M41707 splunkreal 2020-09-29T11:08:36Z https://community.splunk.com/t5/Getting-Data-In/How-to-ignore-internal-indexes-when-searching/m-p/211852#M41708 <PRE><CODE>| rest /services/data/indexes-extended | eval bd_home_event_min_time=strftime('bucket_dirs.home.event_min_time',"%d/%m/%Y") | eval bd_home_event_max_time=strftime('bucket_dirs.home.event_max_time',"%d/%m/%Y") | eval bd_cold_event_min_time=strftime('bucket_dirs.cold.event_min_time',"%d/%m/%Y") | eval bd_cold_event_max_time=strftime('bucket_dirs.cold.event_max_time',"%d/%m/%Y") | table title,bd_home_event_min_time,bd_home_event_max_time,bd_cold_event_min_time,bd_cold_event_max_time,splunk_server | sort title | search title!="_*" </CODE></PRE> Fri, 23 Sep 2016 14:45:16 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-ignore-internal-indexes-when-searching/m-p/211852#M41708 dmaislin_splunk 2016-09-23T14:45:16Z https://community.splunk.com/t5/Getting-Data-In/How-to-ignore-internal-indexes-when-searching/m-p/211853#M41709 <P>Thanks!</P> <P>By the way what is the difference between * and % (to use wildcard) ?</P> Fri, 23 Sep 2016 15:00:05 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-ignore-internal-indexes-when-searching/m-p/211853#M41709 splunkreal 2016-09-23T15:00:05Z https://community.splunk.com/t5/Getting-Data-In/How-to-ignore-internal-indexes-when-searching/m-p/211854#M41710 <UL> <LI>and % are 2 different things : % are used for date formatting, see <A href="https://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Commontimeformatvariables">https://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Commontimeformatvariables</A></LI> </UL> <P>% is not a wildcard. <BR /> for wildcard see : <A href="https://docs.splunk.com/Documentation/Splunk/6.5.1/Search/Wildcards">https://docs.splunk.com/Documentation/Splunk/6.5.1/Search/Wildcards</A></P> Thu, 19 Jan 2017 08:06:33 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-ignore-internal-indexes-when-searching/m-p/211854#M41710 sduchene_splunk 2017-01-19T08:06:33Z