Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Highlighted
Solved! Jump to solution

How to use the where clause and wildcard to filter results?

shiftey
Explorer
‎05-30-2015 03:42 PM

Hi,

I am trying to run this search without success (the search runs however there are 0 results)

sourcetype=dhcplogs description=assign | replace ABC* with ABC in dest  | where dest!=ABC

Computers have hostnames in the format "ABC12345678". dest is the field that contains the hostname. I want to exclude these hosts (and other hosts) from the search results.

Any suggestions?

Cheers

Tags (3)
0 Karma
Reply
1 Solution
Highlighted
Solved! Jump to solution
Solution

Re: How to use the where clause and wildcard to filter results?

MuS
SplunkTrust
SplunkTrust
‎05-30-2015 06:32 PM

Hi shiftey,

try something like this:

sourcetype=dhcplogs description=assign | replace ABC* with ABC in dest | where dest!="ABC"

The reason for this is, that where compares the value of two fields or does evaluate boolean expressions. Whereas search can do a wildcard filter like search foo!=bo*.

Hope this helps ...

cheers, MuS

View solution in original post

Reply