topic Negative substring matching against simple string in Splunk Search https://community.splunk.com/t5/Splunk-Search/Negative-substring-matching-against-simple-string/m-p/248779#M189206 <P>First, I am completely new to Splunk and the extent of my expertise with the query language is dumb wildcard matching and boolean combinations. I'm more than happy to learn more, but you're going to have to explain it assuming minimal knowledge. More than happy to rtfm, if someone could point me to the part of the manual I should be reading (all of it is not a good answer).</P> <P>So actual question:<BR /> I want to exclude all events where one of the fields contains a substring of the following form: "string-one":"string-two", where string-one and string-two are particular strings of interest. So for example I'd like to match</P> <P>field: blah blah blah "foo":"bar"</P> <P>But not </P> <P>field: blah blah blah "string-one":"string-two"</P> <P>As an additional note, this is only one filter in a long list of conditions in the query<BR /> I've tried a simple :<BR /> <CODE>Field NOT ("*\string-one\":\"string-two\"*")</CODE></P> <P>But it isn't working as I expect</P> Tue, 15 Mar 2016 17:20:09 GMT nicklbailey 2016-03-15T17:20:09Z Negative substring matching against simple string https://community.splunk.com/t5/Splunk-Search/Negative-substring-matching-against-simple-string/m-p/248779#M189206 <P>First, I am completely new to Splunk and the extent of my expertise with the query language is dumb wildcard matching and boolean combinations. I'm more than happy to learn more, but you're going to have to explain it assuming minimal knowledge. More than happy to rtfm, if someone could point me to the part of the manual I should be reading (all of it is not a good answer).</P> <P>So actual question:<BR /> I want to exclude all events where one of the fields contains a substring of the following form: "string-one":"string-two", where string-one and string-two are particular strings of interest. So for example I'd like to match</P> <P>field: blah blah blah "foo":"bar"</P> <P>But not </P> <P>field: blah blah blah "string-one":"string-two"</P> <P>As an additional note, this is only one filter in a long list of conditions in the query<BR /> I've tried a simple :<BR /> <CODE>Field NOT ("*\string-one\":\"string-two\"*")</CODE></P> <P>But it isn't working as I expect</P> Tue, 15 Mar 2016 17:20:09 GMT https://community.splunk.com/t5/Splunk-Search/Negative-substring-matching-against-simple-string/m-p/248779#M189206 nicklbailey 2016-03-15T17:20:09Z Re: Negative substring matching against simple string https://community.splunk.com/t5/Splunk-Search/Negative-substring-matching-against-simple-string/m-p/248780#M189207 <P>There's an extra escape character in your search string. Try <CODE>Field NOT ("*string-one\":\"string-two\"*")</CODE> or <CODE>Field NOT ('*string-one":"string-two"*')</CODE>. If those fail, try <CODE>... | where NOT like(field, '%string-one":"string-two"%') | ...</CODE>.</P> Tue, 15 Mar 2016 18:03:35 GMT https://community.splunk.com/t5/Splunk-Search/Negative-substring-matching-against-simple-string/m-p/248780#M189207 richgalloway 2016-03-15T18:03:35Z