https://community.splunk.com/t5/Splunk-Search/Need-a-help-with-splunk-query/m-p/697695#M236988 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/271343">@jagan_vannala</a>&nbsp;,</P><P>sorry but it isn't still clear:</P><P>to exclude particular sessionId, choose the ones to exclude and put them in a condition</P><LI-CODE lang="markup">| search NOT sessionId IN (cond1, cond1, cond3)</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Thu, 29 Aug 2024 10:06:07 GMT gcusello 2024-08-29T10:06:07Z https://community.splunk.com/t5/Splunk-Search/Need-a-help-with-splunk-query/m-p/697689#M236984 <P>HI Team,</P><P>When i am trying to exclude one field by inserting condition sessionId!=X its not working . even though I used "NOT" condition but the field which i am trying to exclude is still showing in results. could you please help how i can exclude&nbsp; particular field</P><P>host="*"&nbsp; sessionId!=X&nbsp;</P><P>host="*" NOT&nbsp;sessionId!=X&nbsp;</P> Thu, 29 Aug 2024 09:49:42 GMT https://community.splunk.com/t5/Splunk-Search/Need-a-help-with-splunk-query/m-p/697689#M236984 jagan_vannala 2024-08-29T09:49:42Z https://community.splunk.com/t5/Splunk-Search/Need-a-help-with-splunk-query/m-p/697690#M236985 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/271343">@jagan_vannala</a>&nbsp;,</P><P>maybe it's a mistyping, but in the solution with NOT you don't need to add !, in other words:</P><LI-CODE lang="markup">host="*" NOT sessionId=X </LI-CODE><P>Anyway, your two searchs has different results because with&nbsp;<SPAN>sessionId!=X you tale all the logs where the filed sessionId is present and hasn't the value "X",</SPAN></P><P><SPAN>instead with&nbsp;NOT&nbsp;sessionId=X you have all the events except the ones with&nbsp;sessionId=X , even if the sessionId field isn't present.</SPAN></P><P><SPAN>Ciao.</SPAN></P><P><SPAN>Giuseppe</SPAN></P> Thu, 29 Aug 2024 09:54:13 GMT https://community.splunk.com/t5/Splunk-Search/Need-a-help-with-splunk-query/m-p/697690#M236985 gcusello 2024-08-29T09:54:13Z https://community.splunk.com/t5/Splunk-Search/Need-a-help-with-splunk-query/m-p/697691#M236986 <P>If you only wanna see events that do not contain the field&nbsp;<SPAN>sessionId You must search as follows</SPAN></P><P>&nbsp;</P><PRE><SPAN>host="*" NOT&nbsp;sessionId</SPAN></PRE><P>&nbsp;&nbsp;</P> Thu, 29 Aug 2024 09:57:41 GMT https://community.splunk.com/t5/Splunk-Search/Need-a-help-with-splunk-query/m-p/697691#M236986 PaulPanther 2024-08-29T09:57:41Z https://community.splunk.com/t5/Splunk-Search/Need-a-help-with-splunk-query/m-p/697694#M236987 <P>Hi ,</P><P>&nbsp;</P><P>I would like to exclude particular session under multiple session ID's</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 29 Aug 2024 10:01:38 GMT https://community.splunk.com/t5/Splunk-Search/Need-a-help-with-splunk-query/m-p/697694#M236987 jagan_vannala 2024-08-29T10:01:38Z https://community.splunk.com/t5/Splunk-Search/Need-a-help-with-splunk-query/m-p/697695#M236988 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/271343">@jagan_vannala</a>&nbsp;,</P><P>sorry but it isn't still clear:</P><P>to exclude particular sessionId, choose the ones to exclude and put them in a condition</P><LI-CODE lang="markup">| search NOT sessionId IN (cond1, cond1, cond3)</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Thu, 29 Aug 2024 10:06:07 GMT https://community.splunk.com/t5/Splunk-Search/Need-a-help-with-splunk-query/m-p/697695#M236988 gcusello 2024-08-29T10:06:07Z https://community.splunk.com/t5/Splunk-Search/Need-a-help-with-splunk-query/m-p/697698#M236989 <P>If I want to exclude multiple fields by using NOT condition how can to use NOT query</P><P>&nbsp;</P><P>NOT sessionId=X AND groupID=Y<BR /><BR />Is this works? please suggest</P> Thu, 29 Aug 2024 10:28:07 GMT https://community.splunk.com/t5/Splunk-Search/Need-a-help-with-splunk-query/m-p/697698#M236989 jagan_vannala 2024-08-29T10:28:07Z https://community.splunk.com/t5/Splunk-Search/Need-a-help-with-splunk-query/m-p/697699#M236990 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/271343">@jagan_vannala</a>&nbsp;,</P><P>use parenthesis:</P><LI-CODE lang="markup">NOT (sessionId=X groupID=Y)</LI-CODE><P>and the AND boolean operator isn't required.</P><P>if you have these doubt, I hint to follow the Splink Search Tutorial, that explain how to create your searches:&nbsp;<A href="https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchTutorial/WelcometotheSearchTutorial" target="_blank">https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchTutorial/WelcometotheSearchTutorial</A></P><P>Ciao.</P><P>Giuseppe</P> Thu, 29 Aug 2024 10:34:16 GMT https://community.splunk.com/t5/Splunk-Search/Need-a-help-with-splunk-query/m-p/697699#M236990 gcusello 2024-08-29T10:34:16Z