topic Re: Help searching with not in Splunk Search

Help searching with not

astatrial — Tue, 29 Oct 2019 18:08:02 GMT

Hi all,
For some reason, my search doesn't work properly.
The search is as the one below:

....| search NOT (x=3 AND b=3)

Instead of excluding events with both the conditions in the parentheses, it does: not x=3 or not b=3

Can someone help me achieve what I am trying to do?

Thanks

Re: Help searching with not

gaurav_maniar — Tue, 29 Oct 2019 20:09:26 GMT

hi,

try | search NOT (x=1 OR b=3), this will give you the desired results.

accept & up-vote the answer if it helps.

Re: Help searching with not

woodcock — Wed, 30 Oct 2019 02:04:17 GMT

It should work but try this:

....| search x!=3 OR b!=3

Re: Help searching with not

astatrial — Wed, 30 Oct 2019 06:54:22 GMT

I want to exclude events with both my terms, means if both x=3 and b=3 than the event will be excluded.

Re: Help searching with not

astatrial — Wed, 30 Oct 2019 06:56:51 GMT

I need both terms to exist, so this is not exactly what i need.

Re: Help searching with not

kamlesh_vaghela — Wed, 30 Oct 2019 07:27:48 GMT

@astatrial

I think your provided search | search NOT (x=3 AND b=3) should work.

check:

| makeresults count=10 | eval x=1 | accum x | eval b=3 | search NOT (x=3 AND b=3)

Try

| where NOT (x=3 AND b=3)

Check:

| makeresults count=10 | eval x=1 | accum x | eval b=3 | where NOT (x=3 AND b=3)

If both ways are not working then we are expecting types of both fields and sample data OR screenshots of them. You can use the below search for type.

| makeresults count=10 | eval x=1 | accum x | eval b=3  | eval x_t=typeof(x),b_t=typeof(b)

Thanks

Re: Help searching with not

astatrial — Wed, 30 Oct 2019 08:26:10 GMT

I think i had problems with the condition itself.
I had a path inside and didn't use "\".

Thanks all !

Re: Help searching with not

astatrial — Wed, 30 Oct 2019 08:28:35 GMT

Hi,
Thanks, it appeared that the logic was ok but instead the problem was with the condition with the file path (that was lacked double back slashes).

Any way, i will accept the answer as it helped me realize that the logic was ok.

Thanks again.

Re: Help searching with not

FrankVl — Wed, 30 Oct 2019 08:33:04 GMT

NOT (x=3 AND b=3) is indeed equivalent to not x=3 or not b=3, as per De Morgan's law: https://en.wikipedia.org/wiki/De_Morgan%27s_laws

If at least one of the two fields is not equal to 3, the event will be included.

b=1, x=2 -> included
b=3, x=2 -> included
b=2, x=3 -> included
b=3, x=3 -> not included

The alternative would be x!=3 AND b!=3. Which, again by De Morgan's law, is actually equivalent to NOT (x=1 OR b=3) which @gaurav_maniar mentioned in his answer. This gives you all events where none of the 2 fields equals 3.

b=1, x=2 -> included
b=3, x=2 -> not included
b=2, x=3 -> not included
b=3, x=3 -> not included

Which one is correct really depends on what you're after. Can you give a few example events and desired output and also an example of the output you get right now that is not according to your needs? Perhaps we're misunderstanding what you are actually after?

This stuff can be a bit tricky to wrap your head around. You might want to find some boolean logic tutorials or so online, to brush up on these concepts 🙂