Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: how to filter by "does not equal"
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
how to filter by "does not equal"
I know how to filter for a specific event so, for example, I always run this:
source=wineventlog:* earliest_time=-24h "Type=Success"
But what I'd now like to do is the opposite: I'd like to eliminate all these "successes" so I can see all the rest. Since I don't know what the rest are, I can't filter by them. Can I do something like "type DOES NOT EQUAL Success"?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
another example
foo search ... source=WinEventLog:Security | yadda yadda yadda
or the opposite
foo search ... source!=WinEventLog:Security | yadda yadda yadda
Its not easy to understand what people are saying when you are a newb as I am.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"not equal " is just "!="
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
your_search Type!=Success | the_rest_of_your_search
without the quotes, otherwise Splunk will literally be looking for the string "Type!=Success". Also you might want to do NOT Type=Success instead. The reason for that is that Type!=Success implies that the field "Type" exists, but is not equal to "Success". If the "Type" field doesn't exist at all, the filtering expression will not match.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Don't be so humble. Converted it to an answer for you 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's possible that the only events with a 'Type' field defined are those where Type=Success. If that's true, then the third search (with !=) would have no field 'Type' against which to evaluate = or even !=.
Also consider absolute time frames, so that the time at which the search is executed isn't leading to different answers. Consider "yesterday" -> earliest=-1d@d latest=@d
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So why is that when I search on
source=wineventlog:* earliest_time=-24h
I get approximately 25,000 responses and when I search on
source=wineventlog:* earliest_time=-24h "Type=Success"
I get approximately 24,000
But when I then search on
source=wineventlog:* earliest_time=-24h "Type!=Success"
I get zero responses? I should get back approximately 1,000 responses. What am I doing wrong?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's as simple as "Type!=Success".
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
