Solved: Filtering a Search

heats · ‎08-24-2017

Hi there, so I had a nice search return but I have a few bits that I don't want in the search. Really all I care about are the HTTP responses of 200 and I don't want to see anything with "WhatsUp/1.0" because that's just noise. Is there a good piece of documentation on this?

Trying to figure out what kind of web traffic is on a really old server that needs to be retired. Also, is there good documentation on this type of practice?

somesoni2 · ‎08-24-2017

You can remove events from search results by specifying filters, preferably in base search like this

index=foo sourcetype=bar http_status=200 NOT ("WhatsUp/1.0")

You can refer to Splunk search tutorial for more examples.
http://docs.splunk.com/Documentation/SplunkCloud/6.6.1/SearchTutorial/Usethesearchlanguage

View solution in original post

somesoni2 · ‎08-24-2017

You can remove events from search results by specifying filters, preferably in base search like this

index=foo sourcetype=bar http_status=200 NOT ("WhatsUp/1.0")

You can refer to Splunk search tutorial for more examples.
http://docs.splunk.com/Documentation/SplunkCloud/6.6.1/SearchTutorial/Usethesearchlanguage

heats · ‎08-24-2017

Do you have to specify the source type?

somesoni2 · ‎08-24-2017

Specifying more metadata field filters (index/host/source/sourcetype etc) in base search can optimize the performance.

heats · ‎08-24-2017

Oh I see, it looks like status= not http_status This looks good! Thank you for the documentation!

Filtering a Search

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor