topic Re: Trying to ignore a value based on the field in Splunk Search

Trying to ignore a value based on the field

srinivasgowda — Thu, 20 May 2021 09:01:58 GMT

Hello team,

I am trying to ignore the value "Total" if its concurrent Os_type matches "Linux"

Below is what I tried.

|search DataType=Executive_Summary | search OS_Type=Linux AND OS_SubType!=Total
| chart values(Servers_Skipped_Patching) as Skipped values(Servers_Failed_Patching) as Failed values(Servers_Successfully_Patching) as Successful by "OS_Type" "OS_SubType"

However, as I am also getting the value OS_SubType=Total from OS_Type=Windows.

Please let me know how I may ignore the "Total" only from Linux and not from any other OS_Type.

Re: Trying to ignore a value based on the field

ITWhisperer — Thu, 20 May 2021 09:28:45 GMT

| search OS_Type!=Linux OR OS_SubType!=Total

Re: Trying to ignore a value based on the field

srinivasgowda — Thu, 20 May 2021 09:36:25 GMT

By using OS_Type!=Linux all other OS_Subtype would be ignore from Linux and by adding OS_Subtype!=Total, Total from all other OS_Type will be ignored. And that is not what I am looking for. I need to ignore only Total coming from OS_Type=Linux

Re: Trying to ignore a value based on the field

ITWhisperer — Thu, 20 May 2021 09:50:59 GMT

Did you try it?

There is an OR so if the OS_Type is not Linux it will get found no matter what the OS_Subtype, or if the OS_Type is Linux, then it will only be found if the OS_Subtype is not Total.

OS_Type	OS_Subtype	Found by search
Linux	Total	No
Linux	Not Total	Yes (OS_Subtype != Total)
Not Linux	Total	Yes (OS_Type != Linux)
Not Linux	Not Total	Yes (OS_Type != Linux)

Is this not what you want?