NOT operator issue

splunk_zen · ‎02-22-2013

I'm having trouble applying a filter to group servers which share the scp keyword, into %scp% and %dscp% subgroups. The resulting AND expression does not return any values.
How should I rewrite the NOT sentence ?

case(
NOT (hostname like "%dscp%") AND hostname like "%scp%", "SCPs", 
....
hostname like "%dscp%", "DSCPs",
hostname like "%mgr%", "MGRs"
), 
"other")

EDIT: Also tried the variation

NOT like(HOST_NAME,"%dscp%") AND like(HOST_NAME,"%scp%"), "SCPs",

with no luck.

splunk_zen · ‎02-22-2013

Sigh...
Some admin please delete this question.
The initial search was correct.
Turns out some collection process had stopped and that range of hosts were not being updated, that's why I was seeing any results, there weren't any to show..

jonuwz · ‎02-22-2013

host=*scp* AND host!=*dscp*

or

host=*scp* NOT host=*dscp*

splunk_zen · ‎02-22-2013

Thanks jonuwz,
but it seems case does not play well with that wildcard form:

Error in 'eval' command: The expression is malformed. An unexpected character is reached at '*scp* AND hostname !=*dscp*, "SCPs", hostname =*dscp*, "DSCPs"

If I encapsulate the wildcards with quotes,

hostnam == "*scp*" AND host!="*dscp*"

it just does not find anything as it explicitly searches for the string "scp" ('*' characters included)

NOT operator issue

Splunk Observability Cloud | Customer Survey!

Happy CX Day, Splunk Community!

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas