https://community.splunk.com/t5/Splunk-Search/How-to-get-events-that-do-not-contain-a-particular-string-or-a/m-p/392700#M114241 <P>For us to assist you better you will have to provide concrete distinction between events to be selected and that to be filtered.Following seems to be present on all the events (whether you need them or not): <CODE>"action:debug message can be exception : "</CODE></P> <P>So, we can not provide you exact filter as the samples you have provided have some generic messages after the matched pattern. Regular expression/Filter Criteria has to be based on these messages only so generic message will not be useful for us to assist.</P> <P>You can definitely look for @DalJeanis 's approach of using <CODE>NOT</CODE> or <CODE>!=</CODE> depending on your use case.</P> Sun, 05 Aug 2018 04:43:41 GMT niketn 2018-08-05T04:43:41Z https://community.splunk.com/t5/Splunk-Search/How-to-get-events-that-do-not-contain-a-particular-string-or-a/m-p/392696#M114237 <P>I have events coming in the below format<BR /> "2018:04:04:11:19:59.926 testhostname 3:INFO TEST:NOTE FLAG 1234567894567890 praimaryflag:secondflag:action:debug message can be exception : There was a this ERROR occured "</P> <P>and there are events that have different messages too such as :</P> <P>2018:04:04:11:19:59.926 testhostname 3:INFO TEST:NOTE FLAG 1234567891267895 praimaryflag:secondflag:action:debug message can be exception : There was something else<BR /> 2018:04:04:11:19:59.926 testhostname 3:INFO TEST:NOTE FLAG 12345686794567891 praimaryflag:secondflag:action:debug message can be exception : Just a debug log no worries<BR /> 2018:04:04:11:19:59.926 testhostname 3:INFO TEST:NOTE FLAG 1234567894567819 praimaryflag:secondflag:action:debug message can be exception : There was a different ERROR</P> <P>I want to extract all events that do not contain </P> <P>Case 1. " debug message can be exception : There was a this ERROR occured"<BR /> Case 2. " There was a this ERROR occured"</P> <P>Need help getting the right search query or rex for this. </P> Sat, 04 Aug 2018 17:45:15 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-events-that-do-not-contain-a-particular-string-or-a/m-p/392696#M114237 bkumarm 2018-08-04T17:45:15Z https://community.splunk.com/t5/Splunk-Search/How-to-get-events-that-do-not-contain-a-particular-string-or-a/m-p/392697#M114238 <P>@bkumar, if you know the pattern of data to be excluded and not sure of pattern of data to be included, you can create regex based re-routing of unwanted data to a different sourcetype so that only required events are indexed with existing sourcetype. Refer to the Splunk Documentation for sourcetype re-routing: <A href="http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Filter_and_route_event_data_to_target_groups">http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Filter_and_route_event_data_to_target_groups</A></P> Sat, 04 Aug 2018 18:15:00 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-events-that-do-not-contain-a-particular-string-or-a/m-p/392697#M114238 niketn 2018-08-04T18:15:00Z https://community.splunk.com/t5/Splunk-Search/How-to-get-events-that-do-not-contain-a-particular-string-or-a/m-p/392698#M114239 <P>SInce every record that matches the second also matches the first, your REGEX is very simple </P> <PRE><CODE>"There was a this ERROR occured" </CODE></PRE> <P>This line as the first line after the initial search will eliminate all the matches...</P> <PRE><CODE>| regex _raw!="There was a this ERROR occured" </CODE></PRE> <HR /> <P>If there was a specific other wording where "a this" is in that message, then you need to give us the exact wording. </P> Sat, 04 Aug 2018 18:18:06 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-events-that-do-not-contain-a-particular-string-or-a/m-p/392698#M114239 DalJeanis 2018-08-04T18:18:06Z https://community.splunk.com/t5/Splunk-Search/How-to-get-events-that-do-not-contain-a-particular-string-or-a/m-p/392699#M114240 <P>@niketnilay , in the current case, I do not have access to backend to configure transforms. I have been provided access to an index that has these events . I need to use regex or search to filter/extract required fields. </P> Sun, 05 Aug 2018 04:14:07 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-events-that-do-not-contain-a-particular-string-or-a/m-p/392699#M114240 bkumarm 2018-08-05T04:14:07Z https://community.splunk.com/t5/Splunk-Search/How-to-get-events-that-do-not-contain-a-particular-string-or-a/m-p/392700#M114241 <P>For us to assist you better you will have to provide concrete distinction between events to be selected and that to be filtered.Following seems to be present on all the events (whether you need them or not): <CODE>"action:debug message can be exception : "</CODE></P> <P>So, we can not provide you exact filter as the samples you have provided have some generic messages after the matched pattern. Regular expression/Filter Criteria has to be based on these messages only so generic message will not be useful for us to assist.</P> <P>You can definitely look for @DalJeanis 's approach of using <CODE>NOT</CODE> or <CODE>!=</CODE> depending on your use case.</P> Sun, 05 Aug 2018 04:43:41 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-events-that-do-not-contain-a-particular-string-or-a/m-p/392700#M114241 niketn 2018-08-05T04:43:41Z https://community.splunk.com/t5/Splunk-Search/How-to-get-events-that-do-not-contain-a-particular-string-or-a/m-p/392701#M114242 <P>The first part does not matter, I want to filter all events that contain<BR /> " There was a this ERROR occurred" .<BR /> I did try @DalJeanis approach, couldn't get a complete solution though.</P> Sun, 05 Aug 2018 11:23:48 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-events-that-do-not-contain-a-particular-string-or-a/m-p/392701#M114242 bkumarm 2018-08-05T11:23:48Z https://community.splunk.com/t5/Splunk-Search/How-to-get-events-that-do-not-contain-a-particular-string-or-a/m-p/392702#M114243 <P>So what was the exact thing that didn't work in Dal's approach?</P> Sun, 05 Aug 2018 12:30:17 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-events-that-do-not-contain-a-particular-string-or-a/m-p/392702#M114243 cpetterborg 2018-08-05T12:30:17Z https://community.splunk.com/t5/Splunk-Search/How-to-get-events-that-do-not-contain-a-particular-string-or-a/m-p/392703#M114244 <P>@DalJeanis what I need is to filter all events that DO NOT have the string "There was a this ERROR occured " exact match. And then I will need to extract fields from those events to generate reports.</P> Sun, 05 Aug 2018 15:48:48 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-events-that-do-not-contain-a-particular-string-or-a/m-p/392703#M114244 bkumarm 2018-08-05T15:48:48Z https://community.splunk.com/t5/Splunk-Search/How-to-get-events-that-do-not-contain-a-particular-string-or-a/m-p/392704#M114245 <P>Finally I got this working. Figured out that the solution did not work earlier because of a line breaking issue at transforms.<BR /> Thanks for all your time.<BR /> I am accepting this answer</P> Sun, 05 Aug 2018 16:13:12 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-events-that-do-not-contain-a-particular-string-or-a/m-p/392704#M114245 bkumarm 2018-08-05T16:13:12Z https://community.splunk.com/t5/Splunk-Search/How-to-get-events-that-do-not-contain-a-particular-string-or-a/m-p/392705#M114246 <P>already answered ... it was a small fix that was required in transforms</P> Sun, 05 Aug 2018 16:14:00 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-events-that-do-not-contain-a-particular-string-or-a/m-p/392705#M114246 bkumarm 2018-08-05T16:14:00Z