topic How to search syntax to exclude dhost or URL in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-to-search-syntax-to-exclude-dhost-or-URL/m-p/493929#M137712 <P>New to Splunk here. Trying to run a search for user BLAHBLAH that does NOT contain dhost of api.drift.com<BR /> Would someone help me with the search? index=* </P> <P>My search below but does not seem to be working:</P> <PRE><CODE>index=* "BLAHBLAH" sourcetype=* dhost!="api.drift" </CODE></PRE> <P>Raw syslog below:</P> <PRE><CODE>Nov 26 16:40:26 QHLSTLS11 mwg: status="426/0" srcip="10.99.99.50" user="BLAHLBAH" dhost="presence.api.drift.com" urlp="443" proto="HTTPS/https" mtd="GET" urlc="Business" rep="0" mt="application/x-empty" mlwr="-" app="-" bytes="782/780/201/196" ua="Chrome77-10.0" lat="0/0/71/97" rule="Last Rule" url="https://presence.api.drift.com/ws/websocket?session_token=SFMyNTY.43QAAAACZAAEZGF0YXQAAAAFZAACaWRtAAAAEzEwMzg5Ny00MTE0MTAzMjM0LTRkAAZvcmdfaWRiAAGV2WQACXNjb3BlX3NldGwAAAABbQAAAARsZWFkamQbB3VzZXJfaWRuBADCOzj1ZAAJdXNlcl90eXBlZAAEbGVhZGQABnNpZ25lZG4GAE8ol55uAQ.7-xbZbLOyHODYgRuuNSrIkIupxR3MnYkslNfjSaDMZU&amp;vsn=1.0.0" </CODE></PRE> Wed, 27 Nov 2019 00:46:54 GMT trojan_81 2019-11-27T00:46:54Z How to search syntax to exclude dhost or URL https://community.splunk.com/t5/Splunk-Search/How-to-search-syntax-to-exclude-dhost-or-URL/m-p/493929#M137712 <P>New to Splunk here. Trying to run a search for user BLAHBLAH that does NOT contain dhost of api.drift.com<BR /> Would someone help me with the search? index=* </P> <P>My search below but does not seem to be working:</P> <PRE><CODE>index=* "BLAHBLAH" sourcetype=* dhost!="api.drift" </CODE></PRE> <P>Raw syslog below:</P> <PRE><CODE>Nov 26 16:40:26 QHLSTLS11 mwg: status="426/0" srcip="10.99.99.50" user="BLAHLBAH" dhost="presence.api.drift.com" urlp="443" proto="HTTPS/https" mtd="GET" urlc="Business" rep="0" mt="application/x-empty" mlwr="-" app="-" bytes="782/780/201/196" ua="Chrome77-10.0" lat="0/0/71/97" rule="Last Rule" url="https://presence.api.drift.com/ws/websocket?session_token=SFMyNTY.43QAAAACZAAEZGF0YXQAAAAFZAACaWRtAAAAEzEwMzg5Ny00MTE0MTAzMjM0LTRkAAZvcmdfaWRiAAGV2WQACXNjb3BlX3NldGwAAAABbQAAAARsZWFkamQbB3VzZXJfaWRuBADCOzj1ZAAJdXNlcl90eXBlZAAEbGVhZGQABnNpZ25lZG4GAE8ol55uAQ.7-xbZbLOyHODYgRuuNSrIkIupxR3MnYkslNfjSaDMZU&amp;vsn=1.0.0" </CODE></PRE> Wed, 27 Nov 2019 00:46:54 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-syntax-to-exclude-dhost-or-URL/m-p/493929#M137712 trojan_81 2019-11-27T00:46:54Z Re: How to search syntax to exclude dhost or URL https://community.splunk.com/t5/Splunk-Search/How-to-search-syntax-to-exclude-dhost-or-URL/m-p/493930#M137713 <PRE><CODE>index=* user="BLAHBLAH" dhost!="*api.drift*" </CODE></PRE> Wed, 27 Nov 2019 01:01:51 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-syntax-to-exclude-dhost-or-URL/m-p/493930#M137713 sduff_splunk 2019-11-27T01:01:51Z