https://community.splunk.com/t5/Splunk-Search/How-can-I-return-events-with-excluded-field-value-combined-with/m-p/642929#M222681 <P>So you want this?</P><LI-CODE lang="markup">search .... (field!=value OR NOT field=*)</LI-CODE><P>&nbsp;</P> Wed, 10 May 2023 22:25:18 GMT bowesmana 2023-05-10T22:25:18Z https://community.splunk.com/t5/Splunk-Search/How-can-I-return-events-with-excluded-field-value-combined-with/m-p/642856#M222651 <P>Hello all.</P> <P>I've been having some trouble with a tricky query. Essentially, I want to return all events that contain a certain field, with a specific value excluded, and combine that with all events that also contain nothing for that particular field.</P> <P>For excluding the field value, I would use:</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">... field!=value</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>And for all events that do not have a value for that field, I would use:</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">... NOT field="*"</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>I have no idea how to combine these, as one requires the field and the other completely excludes it. I have tried:</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">&lt;search&gt; field!=value | fields -field</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>But it doesn't work, as I believe I'm basically applying a filter but doing nothing with it.<BR /><BR />Any help will be greatly appreciated! Thank you.</P> Thu, 11 May 2023 02:04:53 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-return-events-with-excluded-field-value-combined-with/m-p/642856#M222651 foxglove 2023-05-11T02:04:53Z https://community.splunk.com/t5/Splunk-Search/How-can-I-return-events-with-excluded-field-value-combined-with/m-p/642929#M222681 <P>So you want this?</P><LI-CODE lang="markup">search .... (field!=value OR NOT field=*)</LI-CODE><P>&nbsp;</P> Wed, 10 May 2023 22:25:18 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-return-events-with-excluded-field-value-combined-with/m-p/642929#M222681 bowesmana 2023-05-10T22:25:18Z https://community.splunk.com/t5/Splunk-Search/How-can-I-return-events-with-excluded-field-value-combined-with/m-p/642934#M222685 <P>I believe what you're looking to do should be implicitly solved by searching</P><P>&nbsp;</P><LI-CODE lang="markup">NOT field=value</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>When searching with != you are also telling Splunk to only return results with a valid entry for that field. Take a look at the documentation for <A href="https://docs.splunk.com/Documentation/Splunk/latest/Search/NOTexpressions" target="_blank" rel="noopener">Difference between != and NOT</A> for an in-depth&nbsp; breakdown of the differences.</P><P>But <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/256609">@foxglove</a> your question is a bit ambiguous, are you searching against two separate fields, looking for both null/nonexistent value and non-excluded values, or only null/nonexistent values that also don't match the searched value?</P> Thu, 11 May 2023 00:27:33 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-return-events-with-excluded-field-value-combined-with/m-p/642934#M222685 2ero 2023-05-11T00:27:33Z https://community.splunk.com/t5/Splunk-Search/How-can-I-return-events-with-excluded-field-value-combined-with/m-p/643036#M222741 <P>Apologies for the ambiguity. I did mean the same field. Your solution is what I was looking for, so thank you. I forgot about the implicit nature of NOT in that it excludes all events that have a particular value for that field, which would include all events that do not any value for that field at all. Thanks again!</P> Thu, 11 May 2023 12:50:01 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-return-events-with-excluded-field-value-combined-with/m-p/643036#M222741 foxglove 2023-05-11T12:50:01Z