https://community.splunk.com/t5/Splunk-Search/How-to-drop-certain-username-from-search/m-p/590783#M205675 <P>Hi Guys,&nbsp;<BR /><BR />I am trying to do a search and also at the same time drop certain information from showing up.<BR /><BR />As seen from the table below&nbsp; , there is this user [ghjkl-hh123-wer56] that shows up.&nbsp;<BR /><BR />Can I know what must I do from the search string such that usernames like the above no longer show up?<BR /><BR />Please advise.</P> <TABLE width="380"> <TBODY> <TR> <TD width="211">username</TD> <TD width="169">hostname</TD> </TR> <TR> <TD>user1</TD> <TD>host1</TD> </TR> <TR> <TD>user2</TD> <TD>host2</TD> </TR> <TR> <TD>ghjkl-hh123-wer56</TD> <TD>host3</TD> </TR> <TR> <TD>ghjkl-hh123-wer56</TD> <TD>host4</TD> </TR> <TR> <TD>user3</TD> <TD>host4</TD> </TR> </TBODY> </TABLE> <P><BR />Hope this clarifies</P> <P>Thank You</P> <P>regards,<BR />Alex</P> Fri, 25 Mar 2022 13:55:13 GMT splunknewbie81 2022-03-25T13:55:13Z https://community.splunk.com/t5/Splunk-Search/How-to-drop-certain-username-from-search/m-p/590783#M205675 <P>Hi Guys,&nbsp;<BR /><BR />I am trying to do a search and also at the same time drop certain information from showing up.<BR /><BR />As seen from the table below&nbsp; , there is this user [ghjkl-hh123-wer56] that shows up.&nbsp;<BR /><BR />Can I know what must I do from the search string such that usernames like the above no longer show up?<BR /><BR />Please advise.</P> <TABLE width="380"> <TBODY> <TR> <TD width="211">username</TD> <TD width="169">hostname</TD> </TR> <TR> <TD>user1</TD> <TD>host1</TD> </TR> <TR> <TD>user2</TD> <TD>host2</TD> </TR> <TR> <TD>ghjkl-hh123-wer56</TD> <TD>host3</TD> </TR> <TR> <TD>ghjkl-hh123-wer56</TD> <TD>host4</TD> </TR> <TR> <TD>user3</TD> <TD>host4</TD> </TR> </TBODY> </TABLE> <P><BR />Hope this clarifies</P> <P>Thank You</P> <P>regards,<BR />Alex</P> Fri, 25 Mar 2022 13:55:13 GMT https://community.splunk.com/t5/Splunk-Search/How-to-drop-certain-username-from-search/m-p/590783#M205675 splunknewbie81 2022-03-25T13:55:13Z https://community.splunk.com/t5/Splunk-Search/How-to-drop-certain-username-from-search/m-p/590785#M205677 <P>Hi <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/236088">@splunknewbie81</a>&nbsp;</P><P>You can exclude specific username from search using&nbsp;</P><P><SPAN>username!="ghjkl-hh123-wer56"</SPAN></P><P><SPAN>Or exclude </SPAN><SPAN>&nbsp;usernames&nbsp; starting with&nbsp;ghjkl</SPAN></P><P><SPAN>Use&nbsp;username!="ghjkl*"</SPAN></P><P><SPAN>Exclude multiple usernames use</SPAN></P><P><SPAN>NOT username IN&nbsp; ("user1" ,"user2")<BR /></SPAN></P> Fri, 25 Mar 2022 01:59:31 GMT https://community.splunk.com/t5/Splunk-Search/How-to-drop-certain-username-from-search/m-p/590785#M205677 SanjayReddy 2022-03-25T01:59:31Z https://community.splunk.com/t5/Splunk-Search/How-to-drop-certain-username-from-search/m-p/590823#M205689 <P>Just beware that</P><PRE>field!=value</PRE><P>does not have the same meaning as</P><PRE>NOT field=value</PRE><P>The first one will match only if there is a field called "field" within an event and its value is not "value".</P><P>The second one will match any event in which there is no field called "field" with value "value", which means it will also match events in which there is no field called "field" whatsoever. The first one wouldn't match those events.</P> Fri, 25 Mar 2022 10:10:51 GMT https://community.splunk.com/t5/Splunk-Search/How-to-drop-certain-username-from-search/m-p/590823#M205689 PickleRick 2022-03-25T10:10:51Z https://community.splunk.com/t5/Splunk-Search/How-to-drop-certain-username-from-search/m-p/591164#M205809 <P>I don't really understand. Can you show me a example please?</P> Tue, 29 Mar 2022 03:47:15 GMT https://community.splunk.com/t5/Splunk-Search/How-to-drop-certain-username-from-search/m-p/591164#M205809 splunknewbie81 2022-03-29T03:47:15Z https://community.splunk.com/t5/Splunk-Search/How-to-drop-certain-username-from-search/m-p/591183#M205815 <P>Let's assume you have events with two different fields - A and B</P><TABLE border="1" width="100%"><TBODY><TR><TD width="50%"><STRONG>A</STRONG></TD><TD width="50%"><STRONG>B</STRONG></TD></TR><TR><TD width="50%">1</TD><TD width="50%">1</TD></TR><TR><TD width="50%">2</TD><TD width="50%">2</TD></TR><TR><TD width="50%">3</TD><TD width="50%">3</TD></TR><TR><TD width="50%">1</TD><TD width="50%">&nbsp;</TD></TR><TR><TD width="50%">2</TD><TD width="50%">1</TD></TR><TR><TD width="50%">3</TD><TD width="50%">2</TD></TR><TR><TD width="50%">1</TD><TD width="50%">3</TD></TR><TR><TD width="50%">2</TD><TD width="50%">&nbsp;</TD></TR><TR><TD width="50%">3</TD><TD width="50%"><P>1</P></TD></TR></TBODY></TABLE><P>&nbsp;</P><P>Now if you want to search for</P><PRE>A!=1</PRE><P>will give you the same results as</P><PRE>NOT A=1</PRE><P>because the field A has some value in every event.</P><P>But if you search for</P><PRE>B!=1</PRE><P>you will only get events which have a value in B field and that value is different than 1.</P><P>So you'll only get as results only those events that have B=2 or B=3.</P><P>But if you search for</P><PRE>NOT B=1</PRE><P>you will get as results all those events in which the B=1 condition is not fulfilled which means that either B=2, B=3 or there is no value for field B at all.</P> Tue, 29 Mar 2022 06:13:31 GMT https://community.splunk.com/t5/Splunk-Search/How-to-drop-certain-username-from-search/m-p/591183#M205815 PickleRick 2022-03-29T06:13:31Z