topic Re: Is it possible to use | format to get != in Splunk Search

Is it possible to use | format to get !=?

fredclown — Mon, 05 Jun 2023 20:36:53 GMT

I have a search and in the initial part of the search I have a subquery that returns some IP addresses formatted like this using the | format command.

(ip="10.10.10.10 OR ip="1.1.1.1" OR ip="2.2.2.2")

I have a different search where I want to negate it. Is there a way to do this? I know that the format command does allow you to do things like this ...

(NOT ip="10.10.10.10 NOT ip="1.1.1.1" NOT ip="2.2.2.2")

However, NOT ip="value" is not the same as ip!="value" in Splunk land. So, I guess I'm wondering if anyone has a great way in a subquery to pass back the field/value pairs with != rather than =. My hunch is | format can't do it, but maybe there is a different way. Hope that makes sense.

Re: Is it possible to use | format to get !=

fredclown — Mon, 05 Jun 2023 20:38:49 GMT

After thinking about it more for a bit I think this should work and do the same thing as != for each field/value pair but still allows me to use | format.

| format "ip=* AND (NOT" "" "" "" "NOT" ")"

I think this should give me the same results. Does this look right?

Re: Is it possible to use | format to get !=?

PickleRick — Mon, 05 Jun 2023 20:48:28 GMT

Remember that if your subsearch returns a field called "search", it's returned verbatim to the outer search. So you can craft a search string yourself if the format command isn't sufficient.

Run-anywhere example:

| makeresults count=20
| streamstats count 
| search 
[| makeresults count=10 
| streamstats count
| table count
| eval count="count!=".count
| stats values(count) as search
| eval search=mvjoin(search," AND ")]

Re: Is it possible to use | format to get !=?

fredclown — Mon, 05 Jun 2023 22:28:10 GMT

That is a good option. I think my way would work as well, but I like the output of something like this better. It looks cleaner.