Building for the Splunk Platform

NOT operator issue


I'm having trouble applying a filter to group servers which share the scp keyword, into %scp% and %dscp% subgroups. The resulting AND expression does not return any values.
How should I rewrite the NOT sentence ?

NOT (hostname like "%dscp%") AND hostname like "%scp%", "SCPs", 
hostname like "%dscp%", "DSCPs",
hostname like "%mgr%", "MGRs"

EDIT: Also tried the variation

NOT like(HOST_NAME,"%dscp%") AND like(HOST_NAME,"%scp%"), "SCPs", 

with no luck.

Tags (4)
0 Karma


Some admin please delete this question.
The initial search was correct.
Turns out some collection process had stopped and that range of hosts were not being updated, that's why I was seeing any results, there weren't any to show..

0 Karma

host=*scp* AND host!=*dscp*


host=*scp* NOT host=*dscp*


Thanks jonuwz,
but it seems case does not play well with that wildcard form:

Error in 'eval' command: The expression is malformed. An unexpected character is reached at '*scp* AND hostname !=*dscp*, "SCPs", hostname =*dscp*, "DSCPs"

If I encapsulate the wildcards with quotes,

hostnam == "*scp*" AND host!="*dscp*"

it just does not find anything as it explicitly searches for the string "scp" ('*' characters included)

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Customer Survey!

If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...

Happy CX Day, Splunk Community!

Happy CX Day, Splunk Community! CX stands for Customer Experience, and today, October 3rd, is CX Day — a ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...