Re: Help with search

unifirst101 · ‎10-06-2020

Hi, I am using Splunk to grab disk drive metrics but often times I am pulling metrics for drives I don't care about. I want to exclude these from some searches, I am able to do this with a series of NOT/OR commands, as shown below, but I feel like there is an easier way with less syntax.

How can I exclude instances G thru L , in one command, without having to specify each instance as I do below?

host=vor* NOT (host="vor-pxy-prd1*" instance=G: OR instance=H: OR instance=I: OR instance=J: OR instance=K: OR instance=L:)

Thanks for any ideas -

unifirst101 · ‎10-07-2020

The first one worked great. I'm not able to get any results from the 2nd one even the drives I want do not show up, not sure why but I am not overly familiar with the regex side in Splunk. Thanks

unifirst101 · ‎10-07-2020

These are both great ideas and look cleaner than what I have been using - thank you!

richgalloway · ‎10-06-2020

There are a couple of alternatives, but neither is much better than what you have now.

Use IN

host=vor* NOT (host="vor-pxy-prd1*" instance IN ("G:", "H:", "I:", "J:", "K:", "L:")

Or use regex to filter using a regular expression

host=vor* NOT (host="vor-pxy-prd1*")
| regex instance="^[GHIJKL]:"

---
If this reply helps you, Karma would be appreciated.

Help with search

fields

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Data Management Digest – May 2026

Join the Conversation