https://community.splunk.com/t5/Splunk-Search/Search-Query/m-p/533424#M150722 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/207926">@anandhalagaras1</a>, can you try below?</P><LI-CODE lang="markup">index=abc host=xyz ORA-* NOT ORA-609 NOT ORA-3136 NOT ORA-12008 NOT ORA-0</LI-CODE> Thu, 17 Dec 2020 09:27:52 GMT scelikok 2020-12-17T09:27:52Z https://community.splunk.com/t5/Splunk-Search/Search-Query/m-p/533339#M150695 <P>Hi Team,</P><P>I have a logfile in which I have few keywords such as ORA-1 , ORA-212, ORA-609 and similarly we have more than 100&nbsp; information related to ORA- value with it.</P><P>So during the search&nbsp; we want to exclude the below mentioned ORA details&nbsp;</P><P>ORA-609<BR />ORA-3136<BR />ORA-12008<BR />ORA-0</P><P>And the other ORA- stuffs needs to be displayed&nbsp; while searching the logs so that we can create Alerting and schedule the same.</P><P>i.e. If other than ( ORA-609 , ORA-3136, ORA-12008, ORA-0) and the remaining ORA- should&nbsp; be displayed as events so I can able to create the alerting for the same.</P><P>index=abc</P><P>sourcetype=def&nbsp;</P><P>host=xxx</P><P>So kindly help with the query.</P> Wed, 16 Dec 2020 14:50:19 GMT https://community.splunk.com/t5/Splunk-Search/Search-Query/m-p/533339#M150695 anandhalagaras1 2020-12-16T14:50:19Z https://community.splunk.com/t5/Splunk-Search/Search-Query/m-p/533346#M150696 <LI-CODE lang="markup">| regex _raw!="(ORA\-609|ORA\-3136|ORA\-12008|ORA\-0).*"</LI-CODE> Wed, 16 Dec 2020 17:39:13 GMT https://community.splunk.com/t5/Splunk-Search/Search-Query/m-p/533346#M150696 ITWhisperer 2020-12-16T17:39:13Z https://community.splunk.com/t5/Splunk-Search/Search-Query/m-p/533417#M150716 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;,</P><P>Thank you for your response.</P><P>With this query I can able to filter out&nbsp;&nbsp;ORA-609, ORA-3136, ORA-12008, ORA-0 from the logs which is fine. But in the same query I want to see only the logs which contains ORA-* in the event since there are other type of events as well present in the log.</P><P>&nbsp;</P><P>For better understanding , I want to see all the ORA-* logs when i search excluding the&nbsp; ORA-609, ORA-3136, ORA-12008, ORA-0&nbsp;</P><P>&nbsp;</P><P>So kindly help with the query.&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 17 Dec 2020 08:45:30 GMT https://community.splunk.com/t5/Splunk-Search/Search-Query/m-p/533417#M150716 anandhalagaras1 2020-12-17T08:45:30Z https://community.splunk.com/t5/Splunk-Search/Search-Query/m-p/533420#M150719 <LI-CODE lang="markup">| regex _raw!="(ORA\-609|ORA\-3136|ORA\-12008|ORA\-0).*" | regex _raw="ORA\-.*"</LI-CODE> Thu, 17 Dec 2020 08:59:52 GMT https://community.splunk.com/t5/Splunk-Search/Search-Query/m-p/533420#M150719 ITWhisperer 2020-12-17T08:59:52Z https://community.splunk.com/t5/Splunk-Search/Search-Query/m-p/533421#M150720 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;</P><P>&nbsp;</P><P>Thank you for your swift response.</P><P>&nbsp;</P><P>But still I can see few of the ORA-* is not captured when I use the query.</P><P>For example:</P><P>index=abc&nbsp; host="xyz" | regex _raw!="(ORA\-609|ORA\-3136|ORA\-12008|ORA\-0).*" | regex _raw="ORA\-.*"</P><P>&nbsp;</P><P>I can see there are events related for ORA-00020 on today as well as yesterday but when i ran the query it is not showing up this ORA-00020 eventhough it is not in the exclusion list. Similarly we have like this more ORA- things which is not showing up.&nbsp;</P><P>So kindly help.</P> Thu, 17 Dec 2020 09:11:53 GMT https://community.splunk.com/t5/Splunk-Search/Search-Query/m-p/533421#M150720 anandhalagaras1 2020-12-17T09:11:53Z https://community.splunk.com/t5/Splunk-Search/Search-Query/m-p/533422#M150721 <P>This is because you haven't been specific enough or given examples of logs from which to work from!</P><P>What follows these codes? Is it always a space or a colon or a closing bracket or a non-digit? Basically, the regex needs something to indicate that the code is complete.</P> Thu, 17 Dec 2020 09:24:40 GMT https://community.splunk.com/t5/Splunk-Search/Search-Query/m-p/533422#M150721 ITWhisperer 2020-12-17T09:24:40Z https://community.splunk.com/t5/Splunk-Search/Search-Query/m-p/533424#M150722 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/207926">@anandhalagaras1</a>, can you try below?</P><LI-CODE lang="markup">index=abc host=xyz ORA-* NOT ORA-609 NOT ORA-3136 NOT ORA-12008 NOT ORA-0</LI-CODE> Thu, 17 Dec 2020 09:27:52 GMT https://community.splunk.com/t5/Splunk-Search/Search-Query/m-p/533424#M150722 scelikok 2020-12-17T09:27:52Z https://community.splunk.com/t5/Splunk-Search/Search-Query/m-p/533431#M150724 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/206061">@scelikok</a>&nbsp;</P><P>Thank you. It worked as expected.</P> Thu, 17 Dec 2020 11:57:50 GMT https://community.splunk.com/t5/Splunk-Search/Search-Query/m-p/533431#M150724 anandhalagaras1 2020-12-17T11:57:50Z