Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Exclude value based on subsearch
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I want to exclude some values if that have the field SPAN_LOSS_MAX=50 between midnight to 7 a.m.
This is my approach:
index="flap" DELTA_SPAN>=3 | search NOT
[search index="flap" SPAN_LOSS_MAX=50 | dedup CONCATENATE_Z sortby +_time
|eval Hour=strftime(_time,"%H")
|where Hour>=00 AND Hour<=7
|stats count by Hour]
|dedup CONCATENATE_Z sortby +_time
| eval Hour=strftime(_time,"%H")
| chart count as FLAP by Hour
But this search returns also values that are in the subsearch.
Any Ideas?
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why not just do this
index="flap" DELTA_SPAN>=3 |eval Hour=tonumber(strftime(_time,"%H") )
| where NOT (SPAN_LOSS_MAX=50 AND Hour>=0 AND Hour<7)
|dedup CONCATENATE_Z sortby +_time
| eval Hour=strftime(_time,"%H")
| chart count as FLAP by Hour
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why not just do this
index="flap" DELTA_SPAN>=3 |eval Hour=tonumber(strftime(_time,"%H") )
| where NOT (SPAN_LOSS_MAX=50 AND Hour>=0 AND Hour<7)
|dedup CONCATENATE_Z sortby +_time
| eval Hour=strftime(_time,"%H")
| chart count as FLAP by Hour
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks it works! Just a question:
if I want to exclude also 11 p.m.?
I tried | where NOT (SPAN_LOSS_MAX=50 AND Hour>=0 AND Hour<7 AND Hour !=23 ) but it didn't work.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
...| where NOT (SPAN_LOSS_MAX=50 AND Hour>=23 AND Hour<7)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've already tried but it didn't work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
NOT (SPAN_LOSS_MAX=50 AND ((Hour>=0 AND Hour<7) OR Hour=23))
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you! It works!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello ngerosa,
There is already a default hour extraction called date_hour.. if you don't have it, I will recommend building the extraction yourself to be able to filter since search command.
index="flap" DELTA_SPAN>=3 NOT NOT (SPAN_LOSS_MAX=50 AND date_hour>=0 AND date_hour<=7)
| dedup CONCATENATE_Z sortby + _time
| chart count AS FLAP by date_hour
Hope it helps,
Regards.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
