topic Re: How to filter values to remove attributes from a table? in Splunk Search

How to filter values to remove attributes from a table?

gmartinv — Mon, 18 May 2020 22:42:35 GMT

Hello Splunkers,

I appended two different searches within Splunk. Then I created a table, and now I need to filter the values of the Terminated_List attribute that do not contain the string Terminated. I am using the following search, but the final where is not working properly:

index=employees [search index=employees source="*_Terminated_Employee_*" | stats latest(source) AS source] | dedup Email_Address | fields Email_Address Terminated_List |eval e_Mail=tostring(upper(Email_Address)) | eval Terminated_List="Terminated Employees"

| append [search index=employees [search index=employees source="*Terminated IT Contractor*" | stats latest(source) AS source] | dedup Email | fields Email Terminated_List |eval e_Mail=tostring(upper(Email)) | eval Terminated_List="Terminated Contractors"] 

| table e_Mail Terminated_List | where Terminated_List!="*Terminated*"

Any ideas or suggestions??

Thank you!!

Re: How to filter values to remove attributes from a table?

richgalloway — Mon, 18 May 2020 23:28:35 GMT

Unlike search, where does not use * as a wildcard character - it's a literal. You can use where NOT match(Terminated_List, ".*Terminated.*"), but it's simpler to use search "*Terminated*".

Re: How to filter values to remove attributes from a table?

gmartinv — Tue, 19 May 2020 14:31:24 GMT

Hi there,

Thank you for your response. A have a few questions:

The MATCH function is working as expected. However, why do we need to add "." before the "*"?
The SEARCH function is not working. I get "No results found"...do you know why?

Thank you again.

Re: How to filter values to remove attributes from a table?

richgalloway — Wed, 20 May 2020 12:36:44 GMT

match uses regular expressions. In regular expressions, .* means any character, any number of times.
I don't know why search isn't working.