Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to ignore internal indexes when searching?

splunkreal
Motivator
‎09-23-2016 07:38 AM

Hello,

| rest /services/data/indexes-extended | eval bd_home_event_min_time=strftime('bucket_dirs.home.event_min_time',"%d/%m/%Y") | eval bd_home_event_max_time=strftime('bucket_dirs.home.event_max_time',"%d/%m/%Y") | eval bd_cold_event_min_time=strftime('bucket_dirs.cold.event_min_time',"%d/%m/%Y") | eval bd_cold_event_max_time=strftime('bucket_dirs.cold.event_max_time',"%d/%m/%Y") | table title,bd_home_event_min_time,bd_home_event_max_time,bd_cold_event_min_time,bd_cold_event_max_time,splunk_server | sort title | where not like(title,"_%")

returns empty result.

However the where clause works if I don't use underscore.

My aim is to ignore internal indexes.

Thanks for your help.

* If this helps, please upvote or accept solution if it solved *
Reply
1 Solution
Solved! Jump to solution
Solution

dmaislin_splunk
Splunk Employee
Splunk Employee
‎09-23-2016 07:45 AM 
| rest /services/data/indexes-extended | eval bd_home_event_min_time=strftime('bucket_dirs.home.event_min_time',"%d/%m/%Y") | eval bd_home_event_max_time=strftime('bucket_dirs.home.event_max_time',"%d/%m/%Y") | eval bd_cold_event_min_time=strftime('bucket_dirs.cold.event_min_time',"%d/%m/%Y") | eval bd_cold_event_max_time=strftime('bucket_dirs.cold.event_max_time',"%d/%m/%Y") | table title,bd_home_event_min_time,bd_home_event_max_time,bd_cold_event_min_time,bd_cold_event_max_time,splunk_server | sort title | search title!="_*"

View solution in original post

Reply
Solved! Jump to solution
Solution

dmaislin_splunk
Splunk Employee
Splunk Employee
‎09-23-2016 07:45 AM 
| rest /services/data/indexes-extended | eval bd_home_event_min_time=strftime('bucket_dirs.home.event_min_time',"%d/%m/%Y") | eval bd_home_event_max_time=strftime('bucket_dirs.home.event_max_time',"%d/%m/%Y") | eval bd_cold_event_min_time=strftime('bucket_dirs.cold.event_min_time',"%d/%m/%Y") | eval bd_cold_event_max_time=strftime('bucket_dirs.cold.event_max_time',"%d/%m/%Y") | table title,bd_home_event_min_time,bd_home_event_max_time,bd_cold_event_min_time,bd_cold_event_max_time,splunk_server | sort title | search title!="_*"
Reply
Solved! Jump to solution

splunkreal
Motivator
‎09-23-2016 08:00 AM

Thanks!

By the way what is the difference between * and % (to use wildcard) ?

* If this helps, please upvote or accept solution if it solved *
0 Karma
Reply
Solved! Jump to solution

sduchene_splunk
Splunk Employee
Splunk Employee
‎01-19-2017 12:06 AM

% is not a wildcard.
for wildcard see : https://docs.splunk.com/Documentation/Splunk/6.5.1/Search/Wildcards

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...