topic Re: How to exclude particular values? in Splunk Search

How to exclude particular values?

karthi2809 — Fri, 26 Apr 2024 11:28:28 GMT

Hi All,

How to exclude particular values of fields in this query.In my scenario if message having "file not found" so i dont want to show the transactions. below is the query i tried to exclude.

index=mulesoft environment=* applicationName IN ("processor","api")|where message!="No files found for*" | stats values(content.InterfaceName) as InterfaceName values(content.Error) as error values(message) as message values(priority) as priority min(timestamp) AS Logon_Time, max(timestamp) AS Logoff_Time BY applicationName,correlationId | table Status InterfaceName applicationName Timestamp "Total Elapsed Time" FileList "SuccessFile/FailureFile" Response correlationId | search InterfaceName IN ("Test") And i tried | search NOT message IN ("No files found for*")

Re: How to exclude particular values?

richgalloway — Fri, 26 Apr 2024 12:02:25 GMT

The where command does not handle wildcards. Instead, use the search command.

The values function produces multi-value fields, which require special handling.

Try this query.

index=mulesoft environment=* applicationName IN ("processor","api") message!="No files found for*" | stats values(content.InterfaceName) as InterfaceName values(content.Error) as error values(message) as message values(priority) as priority min(timestamp) AS Logon_Time, max(timestamp) AS Logoff_Time BY applicationName,correlationId | where isnotnull(mvfind(InterfaceName, "Test")) | table Status InterfaceName applicationName Timestamp "Total Elapsed Time" FileList "SuccessFile/FailureFile" Response correlationId

Re: How to exclude particular values?

karthi2809 — Fri, 26 Apr 2024 12:52:38 GMT

Actually i am using multiple values in interfacename.And mvfind is not for interfacename .

| search InterfaceName IN (
"ABC",
"ABCD",
"COP")

Re: How to exclude particular values?

richgalloway — Fri, 26 Apr 2024 13:11:29 GMT

I don't understand what is meant by "mvfind is not for interfacename". The mvfind function can be used with any multi-value field (InterfaceName is multi-valued since it is created by the values function).

The mvfind function can be used with multiple values in a regular expression.

| where isnotnull(mvfind(InterfaceName("ABC|ABCD|COP"))

Re: How to exclude particular values?

karthi2809 — Fri, 26 Apr 2024 13:22:25 GMT

I just want to exclude the message contains "No files found" .If the keywords contains No files found .We dont to want to show the particular transactions.Saerch command which is used in last for the values from dropdown from dashboard values .So i used search interfacename in last.

Re: How to exclude particular values?

richgalloway — Fri, 26 Apr 2024 13:51:51 GMT

The "no file found" message is excluded in the base search.

index=mulesoft environment=* applicationName IN ("processor","api") message!="No files found for*"