topic How to search for events that do not contain a field, where that field has a period in its name? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-to-search-for-events-that-do-not-contain-a-field-where-that/m-p/266217#M80046 <P>I have JSON records.<BR /> Some contain the field <STRONG>logdata.message</STRONG>, others contain the field <STRONG>logdata.exception.Message</STRONG>.<BR /> I wish to find all the records where logdata.exception.Message does not exist.</P> <P>Note that both logdata and logdata.exception are parsed as objects containing fields (strings) or other objects.</P> <P>I tried the approach suggested here (<A href="https://answers.splunk.com/answers/59305/how-to-find-records-that-do-not-contain-a-certain-field.html">https://answers.splunk.com/answers/59305/how-to-find-records-that-do-not-contain-a-certain-field.html</A>) but the following didn't work:</P> <PRE><CODE>index=appdata level="ERROR" NOT 'logdata.exception'=* NOT 'logdata.exception.Message'=* </CODE></PRE> <P>Since the fields have periods in their qualified names, I wrapped them in single quotes.</P> Wed, 20 Jul 2016 00:10:04 GMT mdufrasne 2016-07-20T00:10:04Z How to search for events that do not contain a field, where that field has a period in its name? https://community.splunk.com/t5/Splunk-Search/How-to-search-for-events-that-do-not-contain-a-field-where-that/m-p/266217#M80046 <P>I have JSON records.<BR /> Some contain the field <STRONG>logdata.message</STRONG>, others contain the field <STRONG>logdata.exception.Message</STRONG>.<BR /> I wish to find all the records where logdata.exception.Message does not exist.</P> <P>Note that both logdata and logdata.exception are parsed as objects containing fields (strings) or other objects.</P> <P>I tried the approach suggested here (<A href="https://answers.splunk.com/answers/59305/how-to-find-records-that-do-not-contain-a-certain-field.html">https://answers.splunk.com/answers/59305/how-to-find-records-that-do-not-contain-a-certain-field.html</A>) but the following didn't work:</P> <PRE><CODE>index=appdata level="ERROR" NOT 'logdata.exception'=* NOT 'logdata.exception.Message'=* </CODE></PRE> <P>Since the fields have periods in their qualified names, I wrapped them in single quotes.</P> Wed, 20 Jul 2016 00:10:04 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-events-that-do-not-contain-a-field-where-that/m-p/266217#M80046 mdufrasne 2016-07-20T00:10:04Z Re: How to search for events that do not contain a field, where that field has a period in its name? https://community.splunk.com/t5/Splunk-Search/How-to-search-for-events-that-do-not-contain-a-field-where-that/m-p/266218#M80047 <P>Try this</P> <PRE><CODE>index=appdata level="ERROR" NOT ('logdata.exception'=* OR 'logdata.exception.Message'=*) </CODE></PRE> Wed, 20 Jul 2016 01:10:25 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-events-that-do-not-contain-a-field-where-that/m-p/266218#M80047 sundareshr 2016-07-20T01:10:25Z Re: How to search for events that do not contain a field, where that field has a period in its name? https://community.splunk.com/t5/Splunk-Search/How-to-search-for-events-that-do-not-contain-a-field-where-that/m-p/266219#M80048 <P>no go - I replaced the OR with AND as well. Neither worked. <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> Wed, 20 Jul 2016 01:21:27 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-events-that-do-not-contain-a-field-where-that/m-p/266219#M80048 mdufrasne 2016-07-20T01:21:27Z Re: How to search for events that do not contain a field, where that field has a period in its name? https://community.splunk.com/t5/Splunk-Search/How-to-search-for-events-that-do-not-contain-a-field-where-that/m-p/266220#M80049 <P>Does <CODE>index=appdata level="ERROR"</CODE> return valid data?</P> Wed, 20 Jul 2016 01:32:23 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-events-that-do-not-contain-a-field-where-that/m-p/266220#M80049 sundareshr 2016-07-20T01:32:23Z Re: How to search for events that do not contain a field, where that field has a period in its name? https://community.splunk.com/t5/Splunk-Search/How-to-search-for-events-that-do-not-contain-a-field-where-that/m-p/266221#M80050 <P>Why,if you need events "where logdata.exception.Message does not exist", you used both the conditions?<BR /> Bye.<BR /> Giuseppe </P> Wed, 20 Jul 2016 06:37:37 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-events-that-do-not-contain-a-field-where-that/m-p/266221#M80050 gcusello 2016-07-20T06:37:37Z Re: How to search for events that do not contain a field, where that field has a period in its name? https://community.splunk.com/t5/Splunk-Search/How-to-search-for-events-that-do-not-contain-a-field-where-that/m-p/266222#M80051 <P>You must use double-quotes, not single-quotes. Try this:</P> <PRE><CODE>index=appdata level="ERROR" NOT ("logdata.exception"="*" OR "logdata.exception.Message"="*") </CODE></PRE> Wed, 20 Jul 2016 13:30:39 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-events-that-do-not-contain-a-field-where-that/m-p/266222#M80051 woodcock 2016-07-20T13:30:39Z