Solved: Exclude regex results from a search

gnoellbn · ‎08-02-2013

Hello,

I'm trying to run the following search in order to list all the failed connection.

In our parc we have computers that start with Q and immediately followed by a number. So I know the following search (without the NOT) shows only these computers.

source="WinEventLog:Security" "CategoryString=Ouverture/fermeture" "Type=Failure" Type="Failure Audit" NOT regex host="Q[0-9].*" | stats count by host

But when I add the NOT it doesn't display anything what am I doing wrong ?

Thanks,
Gaetan

jtrucks · ‎08-02-2013

Do this instead:

source="WinEventLog:Security" "CategoryString=Ouverture/fermeture" "Type=Failure" Type="Failure Audit" | regex host!="Q[0-9].*" | stats count by host

Because regex is a command and the way you have it is: NOT regex AND host="![0-9]"

--
Jesse Trucks
Minister of Magic

View solution in original post

jtrucks · ‎08-02-2013

Do this instead:

source="WinEventLog:Security" "CategoryString=Ouverture/fermeture" "Type=Failure" Type="Failure Audit" | regex host!="Q[0-9].*" | stats count by host

Because regex is a command and the way you have it is: NOT regex AND host="![0-9]"

--
Jesse Trucks
Minister of Magic

gnoellbn · ‎08-02-2013

Works like a charm! Thanks a lot

Exclude regex results from a search

Enterprise Security Content Update (ESCU) | New Releases

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

It’s go time — Boston, here we come!

Are you a member of the Splunk Community?

Exclude regex results from a search

Enterprise Security Content Update (ESCU) | New Releases

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

It’s go time — Boston, here we come!