https://community.splunk.com/t5/Splunk-Search/Ignore-unlike-rows/m-p/313540#M175398 <P>Give this a try (to include on the rows which ends with an asterisk)</P> <PRE><CODE>index="ti_is_st" sourcetype="xfer_log" | regex _raw="^.+\*$" | rex field=_raw "^(\S+\s+){8}\/(([^\s\/]+\/)+)(?&lt;fileName&gt;.+)(\s+\S+){8}$" |rex field=File_Status "(?&lt;File_Status&gt;(i|j|k|o|p|q))\s"|search "$field2$" "$field3$" | streamstats count as Row | table Row _time ip_address Service_Account fileName File_Size File_Status |replace o with "Download Successful" i with "Upload Successful" j with "Upload Errored" k with "Upload Aborted" p with "Download Errored" q with "Download Aborted" in File_Status </CODE></PRE> Tue, 21 Feb 2017 19:38:05 GMT somesoni2 2017-02-21T19:38:05Z https://community.splunk.com/t5/Splunk-Search/Ignore-unlike-rows/m-p/313539#M175397 <P>I have a log that a software package provides which creates a standard record for each event. </P> <P>The standard format is:</P> <P>Wed Oct 26 10:41:14 2016 0 10.40.112.27 437434 /dirlevel1/dirlevel2/dirlevel3/dirlevel4/chr26104109.txt b s o r aaa_aaaaaaa ssh 0 *</P> <P>We also have customer scripts that write to this log in a similar, but different format. These entries are few and would like to ignore these records if possible. The records that I would like to keep and report on always ends in an *. All other records can be ignored. Is it possible to ignore the record in the query statement or at at best, do a different query based on the last character o the record?</P> <P>Query is:</P> <P>index="ti_is_st" sourcetype="xfer_log" | rex field=_raw "^(\S+\s+){8}\/(([^\s\/]+\/)+)(?&lt;fileName&gt;.+)(\s+\S+){8}$" |rex field=File_Status "(?&lt;File_Status&gt;(i|j|k|o|p|q))\s"|search "<EM>$field2$</EM>" "<EM>$field3$</EM>" | streamstats count as Row | table Row _time ip_address Service_Account fileName File_Size File_Status |replace o with "Download Successful" i with "Upload Successful" j with "Upload Errored" k with "Upload Aborted" p with "Download Errored" q with "Download Aborted" in File_Status </P> <P>Thanks, </P> Tue, 29 Sep 2020 12:57:00 GMT https://community.splunk.com/t5/Splunk-Search/Ignore-unlike-rows/m-p/313539#M175397 Mkaz 2020-09-29T12:57:00Z https://community.splunk.com/t5/Splunk-Search/Ignore-unlike-rows/m-p/313540#M175398 <P>Give this a try (to include on the rows which ends with an asterisk)</P> <PRE><CODE>index="ti_is_st" sourcetype="xfer_log" | regex _raw="^.+\*$" | rex field=_raw "^(\S+\s+){8}\/(([^\s\/]+\/)+)(?&lt;fileName&gt;.+)(\s+\S+){8}$" |rex field=File_Status "(?&lt;File_Status&gt;(i|j|k|o|p|q))\s"|search "$field2$" "$field3$" | streamstats count as Row | table Row _time ip_address Service_Account fileName File_Size File_Status |replace o with "Download Successful" i with "Upload Successful" j with "Upload Errored" k with "Upload Aborted" p with "Download Errored" q with "Download Aborted" in File_Status </CODE></PRE> Tue, 21 Feb 2017 19:38:05 GMT https://community.splunk.com/t5/Splunk-Search/Ignore-unlike-rows/m-p/313540#M175398 somesoni2 2017-02-21T19:38:05Z https://community.splunk.com/t5/Splunk-Search/Ignore-unlike-rows/m-p/313541#M175399 <P>Can you see if following filter in the base search of your query helps?</P> <PRE><CODE>"* \*" </CODE></PRE> Tue, 21 Feb 2017 19:40:36 GMT https://community.splunk.com/t5/Splunk-Search/Ignore-unlike-rows/m-p/313541#M175399 niketn 2017-02-21T19:40:36Z https://community.splunk.com/t5/Splunk-Search/Ignore-unlike-rows/m-p/313542#M175400 <P>Works! Thank you</P> Tue, 21 Feb 2017 19:52:58 GMT https://community.splunk.com/t5/Splunk-Search/Ignore-unlike-rows/m-p/313542#M175400 Mkaz 2017-02-21T19:52:58Z