topic How to exclude some indexes from search? in Splunk Search

How to exclude some indexes from search?

Thomas19 — Thu, 07 Apr 2022 15:30:06 GMT

Hi, I am encountering issue with 1 particular index. I am unable to use index!= to exclude the results from that particular index.

For example, I have 3 indexes - endpoint, server, mobile. I run a index=* index!=server index!=mobile [search parameters].

However, when the results came back, it is showing 2 indexes - endpoint and server.

That means the index!=mobile works, but not the index!=server. And I did verify without the index!= command, I will see all 3 indexes.

Of course this is a very simplified example with only 3 indexes but I am wondering, what could cause the index!=server not to work. In my current setup, all other indexes (I tested 10) work with index!= command but not that particular one.

Thanks.

Re: Exclude some indexes from search

yuanliu — Thu, 07 Apr 2022 05:43:43 GMT

Is it possible that the string "server" is not the precise index name? Try search index=server alone to see if you get anything back.

As a side, you do not to add index=* in search string. Additionally, you can probably use "NOT index IN (endpoint, mobile)" to make code more compact.

Re: Exclude some indexes from search

Thomas19 — Thu, 07 Apr 2022 06:07:38 GMT

Thanks. Ya, the server is the precise index. Running index=server only return a single index

I tested the NOT IN, removed the index=*, still the same result. That particular index keep showing up - it works for all other indexes except for that - tested with many different indexes. So I suspect something is different with that index, just that I couldn't figure out the root cause.

Re: Exclude some indexes from search

yuanliu — Thu, 07 Apr 2022 14:18:31 GMT

A second test could be index!=*server*.

As you tested, all the side notes do not contribute to the essentials:-)