Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Exclusion using NOT to exclude values

secure
Path Finder
‎04-08-2025 03:04 AM

i have a query where im generating a table with columns 

ostype ,osversion and status  i need to exclude anything below version 12 for solaris and suse im using the below command and it works but this is not efficient way 

| search state="Installed"
| search NOT( os_type="solaris" AND os_version <12)
| search NOT( os_type="*suse*" AND os_version <12)

i was trying to use the below command

| search state="Installed" NOT (( os_type="solaris" AND os_version <12) OR ( os_type="*suse*" AND os_version <12))

and its not working

any suggestions

Labels (1)
Labels
Tags (1)
0 Karma
Reply

livehybrid
Super Champion
‎04-08-2025 05:48 AM

Hi @secure 

You could try the following which I think should do what you need?

| where NOT (os_type="solaris" OR like(os_type,"%suse%")) OR os_version>=12

 

The match is used due to the wildcards, so in this where statement we are excluding solaris/*suse* unless the os_version is greater/equal to 12 (Which is functionally the same as excluding less than version 12).

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-08-2025 05:22 AM 
| search os_version>=12 OR NOT (os_type="solaris" OR os_type="suse")
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-08-2025 03:32 AM

Hi @secure ,

are you sure about the field names? you used two different names for each of them (ostype and OS_type) but maybe it's a mistyping.

Anyway, che ck the field names.

Then check the value of os_version, if you use the "<" char, it must be numeric.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Transforming Financial Data into Fraud Intelligence

Every day, banks and financial companies handle millions of transactions, logins, and customer interactions ...

How to send events & findings from AWS to Splunk using Amazon EventBridge

Amazon EventBridge is a serverless service that uses events to connect application components together, making ...

Exciting News: The AppDynamics Community Joins Splunk!

Hello Splunkers,   I’d like to introduce myself—I’m Ryan, the former AppDynamics Community Manager, and I’m ...
Top