topic How to exclude results that start with specific text in a specific field in Splunk Search

How to exclude results that start with specific text in a specific field

elloyd4 — Thu, 27 Jun 2019 18:26:26 GMT

I am trying to find a list of issues in a ticketing system that include a specific keyword that also excludes a list of computer names that start with specific letters that also reside in specific locations but cant figure it out. This is what I have so far.

sourcetype=SOURCE IssueImLookingFor* AND assignment_group_name="Group1" OR "Group2" OR "Group3" NOT Location=("Location1" OR "Location2" OR "Location3")
| search exclude (WorkstationName!=ABC-* OR BCD-* OR CDE-* OR 123-*)

Re: How to exclude results that start with specific text in a specific field

skalliger — Thu, 27 Jun 2019 18:31:23 GMT

Instead of NOT Location= you want to use Location!=. 🙂
And you should chain it like Location!=1 OR Location!=2 ...

Skalli

Re: How to exclude results that start with specific text in a specific field

elloyd4 — Wed, 30 Sep 2020 01:04:32 GMT

Hello Skalli,

        Thanks for your help. The "Location!=" vs. NOT Location= did not work in my favor, but your advise lead me down a path to type out each value one at a time and that worked for me. It may be a more difficult way to do it, but NotePad++ was able to make quick work of the formatting. Thanks again for your help!

Answer:
sourcetype=SOURCE IssueImLookingFor* AND assignment_group_name="Group1" OR assignment_group_name="Group2" OR assignment_group_name="Group3" NOT Location="Location1" NOT Location="Location2" NOT Location="Location3" NOT WorkstationName=ABC-* NOT WorkstationName=BCD-* NOT WorkstationName=CDE-* NOT WorkstationName=123-*