https://community.splunk.com/t5/Alerting/How-do-I-exclude-multiple-specific-source-alerts-from-search/m-p/444353#M7795 <P>Thanks it should include an OR .</P> Tue, 05 Feb 2019 10:57:11 GMT HenryFitzerald 2019-02-05T10:57:11Z https://community.splunk.com/t5/Alerting/How-do-I-exclude-multiple-specific-source-alerts-from-search/m-p/444348#M7790 <P>I have four alerts and wanted to exclude these specific FOUR(ALERT1,ALERT2,ALERT3,ALERT4) from the alert trigger search.</P> <P>I was expecting this query to work using NOT, but it does not work and ALERT1 &amp; 2 currently appears. Could anyone please assist?</P> <PRE><CODE>&lt;query&gt;index=universal_alerts_ NOT ( source =ALERT1 AND source =ALERT2 AND source =ALERT3 AND source =ALERT4 AND ) | timechart count by source &lt;/query&gt; </CODE></PRE> <P>This query seems a valid alternative?? But, I am not sure why ????</P> <PRE><CODE>&lt;query&gt; index=universal_alerts_ ( source! =ALERT1 AND source! =ALERT2 AND source! =ALERT3 AND source! =ALERT4 AND ) | timechart count by source &lt;/query&gt; </CODE></PRE> Mon, 04 Feb 2019 14:16:40 GMT https://community.splunk.com/t5/Alerting/How-do-I-exclude-multiple-specific-source-alerts-from-search/m-p/444348#M7790 HenryFitzerald 2019-02-04T14:16:40Z https://community.splunk.com/t5/Alerting/How-do-I-exclude-multiple-specific-source-alerts-from-search/m-p/444349#M7791 <P>Hello <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/127716">@HenryFitzerald</a> , </P> <P>try something like this:<BR /> index=universal_alerts_ NOT<BR /> [| makeresults | eval source= "ALERT1;ALERT2;ALERT3;ALERT4;" | eval source=split(source,";") | mvexpand source | fields - _time] | timechart count by source</P> Tue, 29 Sep 2020 23:08:55 GMT https://community.splunk.com/t5/Alerting/How-do-I-exclude-multiple-specific-source-alerts-from-search/m-p/444349#M7791 vishaltaneja070 2020-09-29T23:08:55Z https://community.splunk.com/t5/Alerting/How-do-I-exclude-multiple-specific-source-alerts-from-search/m-p/444350#M7792 <P>Try this</P> <PRE><CODE>&lt;query&gt; index=universal_alerts_ NOT source IN("ALERT1", "ALERT2","ALERT3","ALERT4") | timechart count by source &lt;/query&gt; </CODE></PRE> Mon, 04 Feb 2019 14:44:11 GMT https://community.splunk.com/t5/Alerting/How-do-I-exclude-multiple-specific-source-alerts-from-search/m-p/444350#M7792 Vijeta 2019-02-04T14:44:11Z https://community.splunk.com/t5/Alerting/How-do-I-exclude-multiple-specific-source-alerts-from-search/m-p/444351#M7793 <P>@HenryFitzerald ,</P> <P>You can try this also.</P> <PRE><CODE> &lt;query&gt; index=universal_alerts_ NOT (source="ALERT1" OR source="ALERT2" OR source="ALERT3" OR source="ALERT4") | timechart count by source &lt;query&gt; </CODE></PRE> <P>Thanks</P> Mon, 04 Feb 2019 15:34:41 GMT https://community.splunk.com/t5/Alerting/How-do-I-exclude-multiple-specific-source-alerts-from-search/m-p/444351#M7793 kamlesh_vaghela 2019-02-04T15:34:41Z https://community.splunk.com/t5/Alerting/How-do-I-exclude-multiple-specific-source-alerts-from-search/m-p/444352#M7794 <P>You are using <CODE>AND</CODE> and should be using <CODE>OR</CODE> like this:</P> <PRE><CODE>index=universal_alerts_ AND NOT (source ="ALERT1" OR source ="ALERT2" OR source ="ALERT3" OR source ="ALERT4) | timechart count by source </CODE></PRE> Mon, 04 Feb 2019 21:19:28 GMT https://community.splunk.com/t5/Alerting/How-do-I-exclude-multiple-specific-source-alerts-from-search/m-p/444352#M7794 woodcock 2019-02-04T21:19:28Z https://community.splunk.com/t5/Alerting/How-do-I-exclude-multiple-specific-source-alerts-from-search/m-p/444353#M7795 <P>Thanks it should include an OR .</P> Tue, 05 Feb 2019 10:57:11 GMT https://community.splunk.com/t5/Alerting/How-do-I-exclude-multiple-specific-source-alerts-from-search/m-p/444353#M7795 HenryFitzerald 2019-02-05T10:57:11Z