Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I exclude a tag from a search result?

gilbxrtx_7
New Member
‎05-08-2018 01:07 AM

I am working on a printer log data on job completion and am doing up a search to retrieve only events with tags that contain action words.

Sample of the printer logs I am working on:
Print job completion
Retrieve from USB job completion
Save to Network Folder job completion
Print and Save to Device Memory job completion

The words in bold are action words whereas the words in italic are job destinations.
I have two fields which are related to these messages, one is 'message' field (for the printer log itself) and the other is 'printer_msg' field (a field alias I created to retrieve all messages from all printers combined)

I am creating a dashboard where I only want the action word tags to be shown (eg. tag=save OR tag=retrieve OR tag=print). As I am using the 'printer_msg' field in my search string I have decided to allocate two different groups of tags for 'message' and 'printer_msg' fields.

alt text

As seen in the example above, I only added action word tags to the 'printer_msg' field whereas I added both action word and job destination tags to the 'message' field.

I used the following search string to filter out my tags specifically such that I only get the action word tags in my search and not the job destination tags:
index="printerlinuxlog" printer_msg="job notification completion" OR (tag::printer_msg=save OR tag::printer_msg=send OR tag::printer_msg=receive OR tag::printer_msg=retrieve OR tag::printer_msg=fax OR tag::printer_msg=copy OR tag::printer_msg=print OR tag::printer_msg=email)
AND (tag!=usb AND tag!=sharepoint AND tag!=archive AND tag!=forwarding AND tag!=http AND tag!=network_folder )
| rename tag AS "job action"
| stats count by "job action"
All job destination tags were excluded successfully except for one tag: device_memory. As seen from the sample image I have already added the 'device_memory' tag to 'message' field and did the same for the other messages that I have. All other job destination tags got excluded with the same way I used to exclude them as can be seen from the search string above. When I tried to add in 'AND tag!=device_memory', the action word tags 'save' and 'retrieve' would get excluded from the search as well together with the 'device_memory' tag. I do not know what went wrong as I grouped my tags the same way as I did with my other messages and all of them got extracted the way I wanted it, except when I tried to exclude 'device_memory'.

view more tags got excldued wrongly.jpg

There were a total of 8 action word tags plus 1 job destination tag (device_memory) before 'AND tag!=device_memory' was added into the search. Upon adding that the 'save' and 'retrieve' tags got excluded.

Tags (1)
Preview file
6 KB
Preview file
24 KB
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

What Is Splunk? Here’s What You Can Do with Splunk

Hey Splunk Community, we know you know Splunk. You likely leverage its unparalleled ability to ingest, index, ...

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Although it might seem daunting, as we’ve seen in this series, manual instrumentation can be straightforward ...