https://community.splunk.com/t5/Splunk-Search/How-to-exclude-string-keyword-in-same-field-while-using/m-p/678798#M232095 <P>Actually, there is _raw after transaction. It's comprised of merged values of _raw field of events making up the transaction.</P><P>But the question is whether there are any events matching this condition.</P><P>First think I'd check would be to search without the "NOT" condition and see if it matches any events at all.</P> Tue, 27 Feb 2024 10:31:39 GMT PickleRick 2024-02-27T10:31:39Z https://community.splunk.com/t5/Splunk-Search/How-to-exclude-string-keyword-in-same-field-while-using/m-p/678794#M232092 <P>Thanks in Advance.</P><P><SPAN>In my scenario i want to club the the result using correlationID .so i used transaction command .Below query have multiple conditions are checking from same field called message.So i want to exclude some of the search string in this.So after the transaction i tried to exclude the search string but i am not getting the result.</SPAN></P><LI-CODE lang="markup">index="mulesoft" applicationName="concur" environment=DEV ("Concur Ondemand Started*") OR (message="Expense Extract Process started for jobName :*") OR ("Before Calling flow archive-Concur*") OR (message="Concur AP/GL File/s Process Status*") OR (message="Records Count Validation Passed*") OR (message="API: START: /v1/expense/extract/ondemand*" OR message="API: START: /v1/fin*") OR (message="Post - Expense Extract processing to Oracle*") | transaction correlationId| search NOT ("*Failed Processing Concur*")| rename content.SourceFileName as SourceFileName content.JobName as JobName content.loggerPayload.archiveFileName AS ArchivedFileName content.payload{} as Response content.Region as Region content.ConcurRunId as ConcurRunId content.HeaderCount as HeaderCount content.SourceFileDTLCount as SourceFileDTLCount content.APRecordsCountStaged as APRecordsCountStaged content.GLRecordsCountStaged as GLRecordsCountStaged | eval "FileName/JobName"= coalesce(SourceFileName,JobName)| eval JobType=case(like('message',"%Concur Ondemand Started%"),"OnDemand",like('message',"Expense Extract Process started%"),"Scheduled", true() , "Unknown")| eval Status=case(like('message' ,"%Concur AP/GL File/s Process Status%"),"SUCCESS", like('message',"%EXCEPTION%"),"ERROR") |table correlationId "FileName/JobName" Status ArchivedFileName JobType Response Region ConcurRunId HeaderCount SourceFileDTLCount APRecordsCountStaged GLRecordsCountStaged</LI-CODE><P>&nbsp;</P> Tue, 27 Feb 2024 10:04:58 GMT https://community.splunk.com/t5/Splunk-Search/How-to-exclude-string-keyword-in-same-field-while-using/m-p/678794#M232092 karthi2809 2024-02-27T10:04:58Z https://community.splunk.com/t5/Splunk-Search/How-to-exclude-string-keyword-in-same-field-while-using/m-p/678796#M232094 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/205249">@karthi2809</a>,</P><P>Since there is no _raw data after transaction command you cannot make free text searches. You should search using specific field like&nbsp;</P><LI-CODE lang="markup">| search NOT message="*Failed Processing Concur*"</LI-CODE><P>&nbsp;</P> Tue, 27 Feb 2024 10:18:30 GMT https://community.splunk.com/t5/Splunk-Search/How-to-exclude-string-keyword-in-same-field-while-using/m-p/678796#M232094 scelikok 2024-02-27T10:18:30Z https://community.splunk.com/t5/Splunk-Search/How-to-exclude-string-keyword-in-same-field-while-using/m-p/678798#M232095 <P>Actually, there is _raw after transaction. It's comprised of merged values of _raw field of events making up the transaction.</P><P>But the question is whether there are any events matching this condition.</P><P>First think I'd check would be to search without the "NOT" condition and see if it matches any events at all.</P> Tue, 27 Feb 2024 10:31:39 GMT https://community.splunk.com/t5/Splunk-Search/How-to-exclude-string-keyword-in-same-field-while-using/m-p/678798#M232095 PickleRick 2024-02-27T10:31:39Z