<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Exclude records from the final result in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Exclude-records-from-the-final-result/m-p/537889#M90149</link>
    <description>&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Hi, I have a situation where I have to exclude certain records from the final result only. I don't want to include in the initial search criteria because it excludes the whole event. For example&amp;nbsp; a single event may contain many tables and if I exclude a certain table&amp;nbsp; in my initial search I'm getting a wrong count of other tables . I just want those table removed from my final results.&lt;/P&gt;&lt;P&gt;Thanks&lt;/P&gt;</description>
    <pubDate>Fri, 29 Jan 2021 18:11:24 GMT</pubDate>
    <dc:creator>Anand_Raman</dc:creator>
    <dc:date>2021-01-29T18:11:24Z</dc:date>
    <item>
      <title>Exclude records from the final result</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Exclude-records-from-the-final-result/m-p/537889#M90149</link>
      <description>&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Hi, I have a situation where I have to exclude certain records from the final result only. I don't want to include in the initial search criteria because it excludes the whole event. For example&amp;nbsp; a single event may contain many tables and if I exclude a certain table&amp;nbsp; in my initial search I'm getting a wrong count of other tables . I just want those table removed from my final results.&lt;/P&gt;&lt;P&gt;Thanks&lt;/P&gt;</description>
      <pubDate>Fri, 29 Jan 2021 18:11:24 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Exclude-records-from-the-final-result/m-p/537889#M90149</guid>
      <dc:creator>Anand_Raman</dc:creator>
      <dc:date>2021-01-29T18:11:24Z</dc:date>
    </item>
    <item>
      <title>Re: Exclude records from the final result</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Exclude-records-from-the-final-result/m-p/537900#M90152</link>
      <description>&lt;P&gt;Hi&lt;/P&gt;&lt;P&gt;usually this can do wit search and/or where commands. If you give some example data and full SPL query, we could help you with it.&lt;/P&gt;&lt;P&gt;r. Ismo&lt;/P&gt;</description>
      <pubDate>Fri, 29 Jan 2021 19:31:29 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Exclude-records-from-the-final-result/m-p/537900#M90152</guid>
      <dc:creator>isoutamo</dc:creator>
      <dc:date>2021-01-29T19:31:29Z</dc:date>
    </item>
    <item>
      <title>Re: Exclude records from the final result</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Exclude-records-from-the-final-result/m-p/537907#M90156</link>
      <description>&lt;P&gt;Thanks Soutamo for the reply. The below is my main search&amp;nbsp;&lt;/P&gt;&lt;P&gt;"index="production_index" host="production" source="projects/production/logs/cloudaudit.googleapis.com%2Fdata_access" "protoPayload.authenticationInfo.principalEmail" = "*@.com"&lt;BR /&gt;protoPayload.serviceData.jobGetQueryResultsResponse.job.jobStatistics.referencedTables{}.datasetId!="_*"&lt;BR /&gt;protoPayload.serviceData.jobGetQueryResultsResponse.job.jobStatistics.createTime=*"&lt;/P&gt;&lt;P&gt;I'm parsing GCP logs to find number of users per dataset. One SQL may contain reference to multiple datasets and when I exclude the control tables in my search the whole event is being excluded.&lt;/P&gt;&lt;P&gt;&lt;span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Anand_Raman_0-1611950724715.png" style="width: 400px;"&gt;&lt;img src="https://community.splunk.com/t5/image/serverpage/image-id/12750i2996702009A56778/image-size/medium?v=v2&amp;amp;px=400" role="button" title="Anand_Raman_0-1611950724715.png" alt="Anand_Raman_0-1611950724715.png" /&gt;&lt;/span&gt;&lt;/P&gt;</description>
      <pubDate>Fri, 29 Jan 2021 20:07:54 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Exclude-records-from-the-final-result/m-p/537907#M90156</guid>
      <dc:creator>Anand_Raman</dc:creator>
      <dc:date>2021-01-29T20:07:54Z</dc:date>
    </item>
  </channel>
</rss>

