https://community.splunk.com/t5/Splunk-Search/How-to-search-all-field-values-except-a-particular-one/m-p/326203#M161758 <P>I have an app that can show source by country </P> <P>Example:<BR /> Country=China</P> <P>In SPL how would I format this if I wanted to Search like all possible values for Country except like USA?</P> Tue, 10 Apr 2018 18:45:11 GMT summitsplunk 2018-04-10T18:45:11Z https://community.splunk.com/t5/Splunk-Search/How-to-search-all-field-values-except-a-particular-one/m-p/326203#M161758 <P>I have an app that can show source by country </P> <P>Example:<BR /> Country=China</P> <P>In SPL how would I format this if I wanted to Search like all possible values for Country except like USA?</P> Tue, 10 Apr 2018 18:45:11 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-all-field-values-except-a-particular-one/m-p/326203#M161758 summitsplunk 2018-04-10T18:45:11Z https://community.splunk.com/t5/Splunk-Search/How-to-search-all-field-values-except-a-particular-one/m-p/326204#M161759 <P>try <CODE>Country!=*USA*</CODE> if there is a wildcard, not that I can imagine a wildcard in the country.<BR /> otherwise, <CODE>Country!="USA"</CODE> or <CODE>NOT Country="USA"</CODE> should do the trick</P> <P>it should be noted that when using <CODE>!=</CODE>, any event that does not include Country will also be excluded whereas when using <CODE>NOT</CODE>, events where Country doesn't exist will come back as well. So if Country is in 80% of your events and you only want to <EM>exclude</EM> "USA" but want to <EM>include</EM> events without Country, use <CODE>NOT Country="USA"</CODE>. If you want to <EM>exclude both</EM> null country values as well as USA, use <CODE>Country!="USA"</CODE></P> Tue, 10 Apr 2018 18:47:41 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-all-field-values-except-a-particular-one/m-p/326204#M161759 cmerriman 2018-04-10T18:47:41Z