topic Re: Splunk search to exclude events from field value in Splunk Search

Splunk search to exclude events from field value

iamsplunker0415 — Fri, 16 Feb 2024 19:43:12 GMT

Hello Splunk Community,

I have a requirement to exclude the events from field values between 2AM-3AM everyday.
For Example Field USA has 4 values
USA = Texas, California, Washington, New York

I want to exclude the events from Washington between 2AM-3AM .However, I want them in remaining time 23 hours period. Is there a search to achieve this?

Re: Splunk search to exclude events from field value

scelikok — Fri, 16 Feb 2024 19:52:08 GMT

Hi @iamsplunker0415,

You can use "date_hour" field for filtering hours, please try below sample;

index=your_index USA="Washington" NOT date_hour IN (2,3)

Re: Splunk search to exclude events from field value

iamsplunker0415 — Fri, 16 Feb 2024 21:30:14 GMT

@scelikok Thank you.

index=<myindex> |search USA="Washington" NOT date_hour IN (2,3) is not working it's only filtering washington not excluding events between 2-3 I also want the remanining values reported all the time.

Re: Splunk search to exclude events from field value

PickleRick — Sat, 17 Feb 2024 07:41:42 GMT

As usual, I advise against using the default date_* fields.

Firstly, they don't have to be present in every event so if you get the habit of relying on them you might be unpleasantly surprised. Secondly, they correspond to the original value of the original timestamp so it might not be aligned to your timezone.

I'd go with

<base search>
| eval hour=strftime(_time,"%H")
| where NOT (hour>=2 AND hour<=3 AND in(USA,"Washington","New York",and so on))