Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Exclusion using NOT to exclude values

secure
Path Finder
‎04-08-2025 03:04 AM

i have a query where im generating a table with columns 

ostype ,osversion and status  i need to exclude anything below version 12 for solaris and suse im using the below command and it works but this is not efficient way 

| search state="Installed"
| search NOT( os_type="solaris" AND os_version <12)
| search NOT( os_type="*suse*" AND os_version <12)

i was trying to use the below command

| search state="Installed" NOT (( os_type="solaris" AND os_version <12) OR ( os_type="*suse*" AND os_version <12))

and its not working

any suggestions

Labels (1)
Labels
Tags (1)
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎04-08-2025 05:48 AM

Hi @secure 

You could try the following which I think should do what you need?

| where NOT (os_type="solaris" OR like(os_type,"%suse%")) OR os_version>=12

 

The match is used due to the wildcards, so in this where statement we are excluding solaris/*suse* unless the os_version is greater/equal to 12 (Which is functionally the same as excluding less than version 12).

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-08-2025 05:22 AM 
| search os_version>=12 OR NOT (os_type="solaris" OR os_type="suse")
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-08-2025 03:32 AM

Hi @secure ,

are you sure about the field names? you used two different names for each of them (ostype and OS_type) but maybe it's a mistyping.

Anyway, che ck the field names.

Then check the value of os_version, if you use the "<" char, it must be numeric.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...