https://community.splunk.com/t5/Splunk-Search/search-correction-with-NOT/m-p/66830#M16668 <P>I have an alert setup. It is like</P> <P>"ABC-* NOT ("ABC-1" OR "ABC-2")</P> <P>"ABC-1", "ABC-2" being stuff I have taken care of.</P> <P>My result is like:</P> <P>ABC-<BR /> ABC-3<BR /> ABC-4<BR /> ABC-5</P> <P>I want to remove that "ABC-". </P> <P>The problem is, if I add it as NOT to the search, I see no results. Like in</P> <P>"ABC-* NOT ("ABC-" OR "ABC-1" OR "ABC-2")</P> <P>I get 0 results. How to do that correctly?</P> Wed, 18 Sep 2013 18:14:44 GMT aniketb 2013-09-18T18:14:44Z https://community.splunk.com/t5/Splunk-Search/search-correction-with-NOT/m-p/66830#M16668 <P>I have an alert setup. It is like</P> <P>"ABC-* NOT ("ABC-1" OR "ABC-2")</P> <P>"ABC-1", "ABC-2" being stuff I have taken care of.</P> <P>My result is like:</P> <P>ABC-<BR /> ABC-3<BR /> ABC-4<BR /> ABC-5</P> <P>I want to remove that "ABC-". </P> <P>The problem is, if I add it as NOT to the search, I see no results. Like in</P> <P>"ABC-* NOT ("ABC-" OR "ABC-1" OR "ABC-2")</P> <P>I get 0 results. How to do that correctly?</P> Wed, 18 Sep 2013 18:14:44 GMT https://community.splunk.com/t5/Splunk-Search/search-correction-with-NOT/m-p/66830#M16668 aniketb 2013-09-18T18:14:44Z https://community.splunk.com/t5/Splunk-Search/search-correction-with-NOT/m-p/66831#M16669 <P>The ABC-* is very generic.</P> <P>if you have a space after ABC-<BR /> <CODE>"ABC-* NOT ("ABC-1" OR "ABC-2" OR "ABC- ")</CODE></P> <P>otherwise, you can add a second regex filter after to keep only ABC-<DIGIT></DIGIT></P> <P><CODE>"ABC-* NOT ("ABC-1" OR "ABC-2") | regex _raw="ABC-\d"</CODE></P> Wed, 18 Sep 2013 18:18:51 GMT https://community.splunk.com/t5/Splunk-Search/search-correction-with-NOT/m-p/66831#M16669 yannK 2013-09-18T18:18:51Z https://community.splunk.com/t5/Splunk-Search/search-correction-with-NOT/m-p/66832#M16670 <P>I do pass this to a regex because this is an error code. Your regex doesn't gel well with mine. My complete search string is</P> <P>"ABC-<EM>" NOT ("ABC-1" OR "ABC-2") | rex "(?<ERRORNAME>ABC-[0-9]</ERRORNAME></EM>)" | stats count by ErrorName | sort-count</P> <P>Also there's no space after "ABC-"</P> Wed, 18 Sep 2013 18:40:57 GMT https://community.splunk.com/t5/Splunk-Search/search-correction-with-NOT/m-p/66832#M16670 aniketb 2013-09-18T18:40:57Z https://community.splunk.com/t5/Splunk-Search/search-correction-with-NOT/m-p/66833#M16671 <P>It works, the events with a non matching rex field "errorname" will have a null value for errorname, and should not appear in your stats by errorname.</P> Wed, 18 Sep 2013 20:10:20 GMT https://community.splunk.com/t5/Splunk-Search/search-correction-with-NOT/m-p/66833#M16671 yannK 2013-09-18T20:10:20Z https://community.splunk.com/t5/Splunk-Search/search-correction-with-NOT/m-p/66834#M16672 <P>Try this</P> <PRE><CODE>"abc-* NOT ("abc-1" OR "abc-2" OR TERM("abc-")) </CODE></PRE> <P>You can read more about TERM <A href="http://docs.splunk.com/Documentation/Splunk/latest/Search/Usethesearchcommand">here</A></P> Thu, 19 Sep 2013 00:05:32 GMT https://community.splunk.com/t5/Splunk-Search/search-correction-with-NOT/m-p/66834#M16672 lguinn2 2013-09-19T00:05:32Z https://community.splunk.com/t5/Splunk-Search/search-correction-with-NOT/m-p/66835#M16673 <P>Thanks for the new term... er tool.<BR /> Why not just use <BR /> regex _raw="ABC-\d" <BR /> as the search and then NOT whateverelse?</P> Thu, 19 Sep 2013 01:06:30 GMT https://community.splunk.com/t5/Splunk-Search/search-correction-with-NOT/m-p/66835#M16673 lukejadamec 2013-09-19T01:06:30Z https://community.splunk.com/t5/Splunk-Search/search-correction-with-NOT/m-p/66836#M16674 <P>You can't use <CODE>regex</CODE> as the search, although you could run a search and then apply the <CODE>regex</CODE> command to it as @yannK did...</P> Fri, 20 Sep 2013 05:50:20 GMT https://community.splunk.com/t5/Splunk-Search/search-correction-with-NOT/m-p/66836#M16674 lguinn2 2013-09-20T05:50:20Z