Archive
Highlighted

difference between NOT and !=

Path Finder

Hi fellow Splunkers,

I just fell over the difference between "NOT srcip=1.2.3.4" and "srcip!=1.2.3.4" in a basesearch. Can someone explain what the difference is and why?

What I did was to use this statement in a basesearch, filtering out this single IP. What happens is:
- "srcip!=1.2.3.4": Filters out this single IP and all events with srcip being null
- "NOT srcip=1.2.3.4": Filters out this single IP, leaves all events with null srcip standing

I know that "NOT srcip=*" is the best way to search for empy or null occurences of srcip. But I figure I should understand what is happening under the hood as well.

Thanks for the enlightenment.

Olli

Tags (3)
0 Karma
Highlighted

Re: difference between NOT and !=

Path Finder

Thinking about it, I would assume that "src_ip!=" needs a fieldvalue to compare with. Probably a "check this fieldvalue, remove the match". So if no fieldvalue is there, the the clause cannot come back being positive, because it cannot be checked.

Whereas "NOT src_ip" negates the clause. Which is negative when either this wanted value exists or when the field cannot be checked. So on both occurences it comes back negative, negated again gives a positive.

0 Karma
Highlighted

Re: difference between NOT and !=

Champion

from the splunk search manual...

Difference between NOT and !=
When you want to exclude results from your search you can use the NOT
operator or the != field expression. However there is a significant difference in the
results that are returned from these two methods.

Suppose you have the following fields:
· fieldA
· fieldB
· fieldC
Each of these fields has 3 values, for example fieldA has value1, value2, and
value3.

If you search for fieldB!=value3, the search returns only those values for
fieldB that are not value3:
· fieldB=value1, fieldB=value2
If fieldB does not exist, nothing is returned.

If you search for NOT fieldB=value3, the search returns everything except
fieldB=value3:
· fieldA=value1, fieldA=value2, fieldA=value3
· fieldB=value1, fieldB=value2
· fieldC=value1, fieldC=value2, fieldC=3

If fieldB does not exist, NOT fieldB=value3 returns:
· fieldA=value1, fieldA=value2, fieldA=value3
· fieldC=value1, fieldC=value2, fieldC=3

0 Karma
Highlighted

Re: difference between NOT and !=

Contributor

"fieldname!=value" expect only matches events where the does field exist. NOT does not and matches also events where the field does not exist.

View solution in original post