https://community.splunk.com/t5/Getting-Data-In/Only-Filtering-for-Interesting-Event-Logs/m-p/30716#M5385 <P>Sounds like an excellent solution. Do you know if there is a character limit in a Macro? If so, I imagine at some point I would need to string them together in series.</P> Mon, 12 Nov 2012 21:00:52 GMT wbordeau 2012-11-12T21:00:52Z https://community.splunk.com/t5/Getting-Data-In/Only-Filtering-for-Interesting-Event-Logs/m-p/30714#M5383 <P>Is there a way to express a series of exclude filters as variable in a search?</P> <P>What I want to do is create a search and eventually an alert that will trigger on all Event Log Warnings and Errors until I exclude them one by one in the search. I realize the search string would grow impossibly long so I want to know if there is a way to condense the excluded filters and represent them with a single constant or variable that would be updated and vetted on an ongoing basis.</P> <P>Having this type of search would only yield events that I don't yet know about that could be important for me to investigate while at the same time filter out events I already know about and can safely ignore.</P> <P>I'm open to other alternatives but this is basically the impetus of what I want to accomplish.</P> Mon, 12 Nov 2012 15:55:48 GMT https://community.splunk.com/t5/Getting-Data-In/Only-Filtering-for-Interesting-Event-Logs/m-p/30714#M5383 wbordeau 2012-11-12T15:55:48Z https://community.splunk.com/t5/Getting-Data-In/Only-Filtering-for-Interesting-Event-Logs/m-p/30715#M5384 <P>You could use a macro and update it over time as you add various known filters. That would simplify your search string.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/5.0/Search/Usesearchmacros#Create_search_macros_in_Splunk_Web">http://docs.splunk.com/Documentation/Splunk/5.0/Search/Usesearchmacros#Create_search_macros_in_Splunk_Web</A></P> Mon, 12 Nov 2012 16:04:00 GMT https://community.splunk.com/t5/Getting-Data-In/Only-Filtering-for-Interesting-Event-Logs/m-p/30715#M5384 sdaniels 2012-11-12T16:04:00Z https://community.splunk.com/t5/Getting-Data-In/Only-Filtering-for-Interesting-Event-Logs/m-p/30716#M5385 <P>Sounds like an excellent solution. Do you know if there is a character limit in a Macro? If so, I imagine at some point I would need to string them together in series.</P> Mon, 12 Nov 2012 21:00:52 GMT https://community.splunk.com/t5/Getting-Data-In/Only-Filtering-for-Interesting-Event-Logs/m-p/30716#M5385 wbordeau 2012-11-12T21:00:52Z https://community.splunk.com/t5/Getting-Data-In/Only-Filtering-for-Interesting-Event-Logs/m-p/30717#M5386 <P>It looks like it's not about the number of characters. Take a look. <BR /> <A href="http://splunk-base.splunk.com/answers/8399/what-is-the-max-character-limit-for-a-macro">http://splunk-base.splunk.com/answers/8399/what-is-the-max-character-limit-for-a-macro</A></P> Mon, 12 Nov 2012 21:04:19 GMT https://community.splunk.com/t5/Getting-Data-In/Only-Filtering-for-Interesting-Event-Logs/m-p/30717#M5386 sdaniels 2012-11-12T21:04:19Z