topic Re: How to exclude multiple values from multiple fields? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-to-exclude-multiple-values-from-multiple-fields/m-p/656701#M226817 <P>Your search looks OK - can you share some of the events (anonymised of course) which are being found which shouldn't be?</P> Tue, 05 Sep 2023 16:39:57 GMT ITWhisperer 2023-09-05T16:39:57Z How to exclude multiple values from multiple fields? https://community.splunk.com/t5/Splunk-Search/How-to-exclude-multiple-values-from-multiple-fields/m-p/656699#M226816 <P>I am trying to filter multiple values from two fields but not getting the expected result.</P><P>index=test_01 EventCode=4670 NOT (Field 1 = value1 OR Field 1 = value2) NOT (Process_Name = value 3 OR Process_Name = value 4)</P><P>&nbsp;</P><P>I am geting splunk results which includes Process_Name=value 3 and Process_Name=value 4</P> Tue, 05 Sep 2023 15:45:36 GMT https://community.splunk.com/t5/Splunk-Search/How-to-exclude-multiple-values-from-multiple-fields/m-p/656699#M226816 rnikam1412 2023-09-05T15:45:36Z Re: How to exclude multiple values from multiple fields? https://community.splunk.com/t5/Splunk-Search/How-to-exclude-multiple-values-from-multiple-fields/m-p/656701#M226817 <P>Your search looks OK - can you share some of the events (anonymised of course) which are being found which shouldn't be?</P> Tue, 05 Sep 2023 16:39:57 GMT https://community.splunk.com/t5/Splunk-Search/How-to-exclude-multiple-values-from-multiple-fields/m-p/656701#M226817 ITWhisperer 2023-09-05T16:39:57Z Re: How to exclude multiple values from multiple fields? https://community.splunk.com/t5/Splunk-Search/How-to-exclude-multiple-values-from-multiple-fields/m-p/656755#M226832 <P>Are you sure your value 3 and value 4 do not contain, for example, white space? &nbsp;I cannot help but notice that you did not quote "value 3" and "value 4". &nbsp;If the search is illustrative, it should be something like</P><LI-CODE lang="markup">index=test_01 EventCode=4670 NOT ("Field 1" = value1 OR "Field 1" = value2) NOT (Process_Name = "value 3" OR Process_Name = "value 4")</LI-CODE> Wed, 06 Sep 2023 05:03:17 GMT https://community.splunk.com/t5/Splunk-Search/How-to-exclude-multiple-values-from-multiple-fields/m-p/656755#M226832 yuanliu 2023-09-06T05:03:17Z