Splunk Search

Error in 'where' command: The 'not' function is unsupported or undefined. Splunk Search

Abass42
Communicator

I have this report that i received an error from. Ive seen the error from different searches, but i just started to look into them. In the email, it said the issue was 

Error in 'where' command: The 'not' function is unsupported or undefined.

 

Im assuming the search ran fine before it started getting an error as it was turned into a report. 

Current search: 

 

|inputlookup X_servers.csv | search OS=*Windows* environment=Production OR environment="Disaster Recovery" | dedup host | rename host as HOST | table  HOST environment  OS application1 | sort +HOST |where NOT[|inputlookup Y_agent_managed.csv | table HOST]

 

 

I looked up that error, but I couldnt find anything useful out of them. We have our DMC, Both cluster Masters, and deployment servers all on Splunk 9.x.x, everything else is on 8.x.x. The posts I saw were talking about Splunk 6.x, so that one was a bit outdated and im at a loss as to the proper syntax. I tried replacing NOT with != but apparently splunk reads them both as NOT, which makes sense. 

 

FailedSearch_Error1.png

 

Id appreciate any help, thank you. We haev a few old reports that still use NOt like this . 

Labels (1)
Tags (2)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Abass42,

use search command and add a space between NOT and the subsearch:

| inputlookup X_servers.csv WHERE OS=*Windows* environment=Production OR environment="Disaster Recovery" 
| dedup host 
| rename host AS HOST 
| table  HOST environment  OS application1 
| sort HOST 
| search NOT [|inputlookup Y_agent_managed.csv | table HOST ]

Ciao. Giuseppe

0 Karma

PickleRick
SplunkTrust
SplunkTrust

If there was no space between NOT and the bracket, then yes - you should definitely have the space there, otherwise it will indeed probably get rendered to NOT((HOST=something) OR (HOST=something_else) OR ...).

But while in this case search indeed might be a better choice than where, they are _not_ interchangeable!

0 Karma

PickleRick
SplunkTrust
SplunkTrust

1. You should _not_ have mismatched versions across your environment. Of course it's unavoidable during the upgrade process but it shouldn't be the permanent state.

2. NOT is not the same as !=

A run-anywhere example:

| makeresults count=100
| streamstats count
| eval a=count % 3
| eval b=if(a==1,count%4,null())
| where NOT a=b

Now change the last condition to "a!=b" and compare results.

3. See the job log and see what your search is finally expanded to

4. Your errors refers to lower case 'not'. Are you sure you don't have it like that?

0 Karma
Get Updates on the Splunk Community!

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Automated Archival is a new capability within Metrics Management; which is a robust usage & cost optimization ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

What's New in Splunk Observability - July 2025

What’s New?  We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what ...