https://community.splunk.com/t5/Splunk-Search/Exclude-results-where-two-or-more-fields-match/m-p/515062#M144586 <P>I am trying to understand how to remove results where "field_a" and "field_a" each contain a certain value together in the same log... but not all results containing "field_a" or all results containing "field_b"... or any other fields.<BR /><BR />Here are some example of logs:<BR /><BR />field_a=5 field_b=3</P><P>field_a=5 field_b=2</P><P>field_a=2 field_b=3</P><P>I want to exclude only logs where&nbsp;field_a is equal to "5"&nbsp;<STRONG>AND </STRONG>field_b is equal to "3"&nbsp;... but keep all other results. So, in the log examples above, I would only want to exclude the first log because that is the only example where BOTH fields contain a specific value... I would want my query to return the last two logs.</P> Wed, 19 Aug 2020 20:44:52 GMT iomega311 2020-08-19T20:44:52Z https://community.splunk.com/t5/Splunk-Search/Exclude-results-where-two-or-more-fields-match/m-p/515062#M144586 <P>I am trying to understand how to remove results where "field_a" and "field_a" each contain a certain value together in the same log... but not all results containing "field_a" or all results containing "field_b"... or any other fields.<BR /><BR />Here are some example of logs:<BR /><BR />field_a=5 field_b=3</P><P>field_a=5 field_b=2</P><P>field_a=2 field_b=3</P><P>I want to exclude only logs where&nbsp;field_a is equal to "5"&nbsp;<STRONG>AND </STRONG>field_b is equal to "3"&nbsp;... but keep all other results. So, in the log examples above, I would only want to exclude the first log because that is the only example where BOTH fields contain a specific value... I would want my query to return the last two logs.</P> Wed, 19 Aug 2020 20:44:52 GMT https://community.splunk.com/t5/Splunk-Search/Exclude-results-where-two-or-more-fields-match/m-p/515062#M144586 iomega311 2020-08-19T20:44:52Z https://community.splunk.com/t5/Splunk-Search/Exclude-results-where-two-or-more-fields-match/m-p/515066#M144588 <P>NOT (&nbsp;<SPAN>field_a=5 AND field_b=3</SPAN> )</P><P>add this within your base search or in subsequent search command</P> Wed, 19 Aug 2020 21:09:48 GMT https://community.splunk.com/t5/Splunk-Search/Exclude-results-where-two-or-more-fields-match/m-p/515066#M144588 sbuntin_splunk 2020-08-19T21:09:48Z https://community.splunk.com/t5/Splunk-Search/Exclude-results-where-two-or-more-fields-match/m-p/515067#M144589 <P>Perhaps this will help.</P><LI-CODE lang="markup">index=foo NOT (field_a=5 AND field_b=3)</LI-CODE> Wed, 19 Aug 2020 21:10:54 GMT https://community.splunk.com/t5/Splunk-Search/Exclude-results-where-two-or-more-fields-match/m-p/515067#M144589 richgalloway 2020-08-19T21:10:54Z