Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Exclusion using NOT to exclude values

secure
Path Finder
‎04-08-2025 03:04 AM

i have a query where im generating a table with columns 

ostype ,osversion and status  i need to exclude anything below version 12 for solaris and suse im using the below command and it works but this is not efficient way 

| search state="Installed"
| search NOT( os_type="solaris" AND os_version <12)
| search NOT( os_type="*suse*" AND os_version <12)

i was trying to use the below command

| search state="Installed" NOT (( os_type="solaris" AND os_version <12) OR ( os_type="*suse*" AND os_version <12))

and its not working

any suggestions

Labels (1)
Labels
Tags (1)
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎04-08-2025 05:48 AM

Hi @secure 

You could try the following which I think should do what you need?

| where NOT (os_type="solaris" OR like(os_type,"%suse%")) OR os_version>=12

 

The match is used due to the wildcards, so in this where statement we are excluding solaris/*suse* unless the os_version is greater/equal to 12 (Which is functionally the same as excluding less than version 12).

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-08-2025 05:22 AM 
| search os_version>=12 OR NOT (os_type="solaris" OR os_type="suse")
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-08-2025 03:32 AM

Hi @secure ,

are you sure about the field names? you used two different names for each of them (ostype and OS_type) but maybe it's a mistyping.

Anyway, che ck the field names.

Then check the value of os_version, if you use the "<" char, it must be numeric.

Ciao.

Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...