Help with search

unifirst101 · ‎10-06-2020

Hi, I am using Splunk to grab disk drive metrics but often times I am pulling metrics for drives I don't care about. I want to exclude these from some searches, I am able to do this with a series of NOT/OR commands, as shown below, but I feel like there is an easier way with less syntax.

How can I exclude instances G thru L , in one command, without having to specify each instance as I do below?

host=vor* NOT (host="vor-pxy-prd1*" instance=G: OR instance=H: OR instance=I: OR instance=J: OR instance=K: OR instance=L:)

Thanks for any ideas -

unifirst101 · ‎10-07-2020

The first one worked great. I'm not able to get any results from the 2nd one even the drives I want do not show up, not sure why but I am not overly familiar with the regex side in Splunk. Thanks

unifirst101 · ‎10-07-2020

These are both great ideas and look cleaner than what I have been using - thank you!

richgalloway · ‎10-06-2020

There are a couple of alternatives, but neither is much better than what you have now.

Use IN

host=vor* NOT (host="vor-pxy-prd1*" instance IN ("G:", "H:", "I:", "J:", "K:", "L:")

Or use regex to filter using a regular expression

host=vor* NOT (host="vor-pxy-prd1*")
| regex instance="^[GHIJKL]:"

---
If this reply helps you, Karma would be appreciated.

Help with search

fields

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...