Solved: How to ignore internal indexes when searching?

splunkreal · ‎09-23-2016

Hello,

| rest /services/data/indexes-extended | eval bd_home_event_min_time=strftime('bucket_dirs.home.event_min_time',"%d/%m/%Y") | eval bd_home_event_max_time=strftime('bucket_dirs.home.event_max_time',"%d/%m/%Y") | eval bd_cold_event_min_time=strftime('bucket_dirs.cold.event_min_time',"%d/%m/%Y") | eval bd_cold_event_max_time=strftime('bucket_dirs.cold.event_max_time',"%d/%m/%Y") | table title,bd_home_event_min_time,bd_home_event_max_time,bd_cold_event_min_time,bd_cold_event_max_time,splunk_server | sort title | where not like(title,"_%")

returns empty result.

However the where clause works if I don't use underscore.

My aim is to ignore internal indexes.

Thanks for your help.

* If this helps, please upvote or accept solution if it solved *

dmaislin_splunk · ‎09-23-2016

| rest /services/data/indexes-extended | eval bd_home_event_min_time=strftime('bucket_dirs.home.event_min_time',"%d/%m/%Y") | eval bd_home_event_max_time=strftime('bucket_dirs.home.event_max_time',"%d/%m/%Y") | eval bd_cold_event_min_time=strftime('bucket_dirs.cold.event_min_time',"%d/%m/%Y") | eval bd_cold_event_max_time=strftime('bucket_dirs.cold.event_max_time',"%d/%m/%Y") | table title,bd_home_event_min_time,bd_home_event_max_time,bd_cold_event_min_time,bd_cold_event_max_time,splunk_server | sort title | search title!="_*"

View solution in original post

dmaislin_splunk · ‎09-23-2016

| rest /services/data/indexes-extended | eval bd_home_event_min_time=strftime('bucket_dirs.home.event_min_time',"%d/%m/%Y") | eval bd_home_event_max_time=strftime('bucket_dirs.home.event_max_time',"%d/%m/%Y") | eval bd_cold_event_min_time=strftime('bucket_dirs.cold.event_min_time',"%d/%m/%Y") | eval bd_cold_event_max_time=strftime('bucket_dirs.cold.event_max_time',"%d/%m/%Y") | table title,bd_home_event_min_time,bd_home_event_max_time,bd_cold_event_min_time,bd_cold_event_max_time,splunk_server | sort title | search title!="_*"

splunkreal · ‎09-23-2016

Thanks!

By the way what is the difference between * and % (to use wildcard) ?

* If this helps, please upvote or accept solution if it solved *

sduchene_splunk · ‎01-19-2017

and % are 2 different things : % are used for date formatting, see https://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Commontimeformatvariables

% is not a wildcard.
for wildcard see : https://docs.splunk.com/Documentation/Splunk/6.5.1/Search/Wildcards

How to ignore internal indexes when searching?

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Unleash Unified Security and Observability with Splunk Cloud Platform