Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

"NOT TERM" removes results

landen99
Motivator
‎12-02-2019 04:51 AM

When using NOT TERM, please keep in mind the following bug (see the answer for the workaround):

index=myindex NOT TERM(b=c)

will yield zero results if all the events contain “a_b=c” like this:

foo a_b=c b=d bar

The problem appears to exist only for normal searches using NOT on TERM where “b=c” exists in other places like “a_b=c”. It does not appear when using tstats. It seems to be a post-search filter.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

landen99
Motivator
‎12-02-2019 04:54 AM

The work-around appears to be to explicitly include “TERM(a_b=c)” like this:
index=myindex TERM(a_b=c) NOT TERM(b=c)

View solution in original post

0 Karma
Reply
Solved! Jump to solution

mhoogcarspel_sp
Splunk Employee
Splunk Employee
‎12-02-2019 09:28 AM

That's not a bug I think, it's just "b=c" is not a term in the lexicon

fake results:

| makeresults 
| eval _raw="foo a_b=c b=d bar" 
| collect

can find it:

index=summary NOT TERM(b=c)

can't find it:

index=summary NOT TERM(*b=c)

validate:

| walklex index=summary 
| table * 
| search term="*b=c*"

tested on 8.0.1

("_" is a minor segmenter)
https://docs.splunk.com/Documentation/Splunk/8.0.0/Admin/Segmentersconf

https://docs.splunk.com/Documentation/Splunk/8.0.0/Search/UseCASEandTERMtomatchphrases

TERM: Match whatever is inside the
parentheses as a single term in the
index, even if it contains characters
that are usually recognized as minor
segmenters, such as periods or
underscores.
...

The TERM directive is useful when you
are searching for a term:

That contains minor breakers
Is bound by major breakers, such as spaces or commas Does not contain
major breakers

and your term isn't bound by major breakers, but a major (the space) and a minor one (the "_")

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎12-02-2019 08:11 AM

Also be aware of this:
https://docs.splunk.com/Documentation/Splunk/latest/Search/NOTexpressions

0 Karma
Reply
Solved! Jump to solution
Solution

landen99
Motivator
‎12-02-2019 04:54 AM

The work-around appears to be to explicitly include “TERM(a_b=c)” like this:
index=myindex TERM(a_b=c) NOT TERM(b=c)

0 Karma
Reply
Solved! Jump to solution

mhoogcarspel_sp
Splunk Employee
Splunk Employee
‎12-03-2019 01:33 AM

Don't think this is accurate, have a look at my answer below

0 Karma
Reply
Solved! Jump to solution

landen99
Motivator
‎12-06-2019 07:08 PM

It is accurate. Martin Mueller has verified it too.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...