Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I exclude a tag from a search result?

gilbxrtx_7
New Member
‎05-08-2018 01:07 AM

I am working on a printer log data on job completion and am doing up a search to retrieve only events with tags that contain action words.

Sample of the printer logs I am working on:
Print job completion
Retrieve from USB job completion
Save to Network Folder job completion
Print and Save to Device Memory job completion

The words in bold are action words whereas the words in italic are job destinations.
I have two fields which are related to these messages, one is 'message' field (for the printer log itself) and the other is 'printer_msg' field (a field alias I created to retrieve all messages from all printers combined)

I am creating a dashboard where I only want the action word tags to be shown (eg. tag=save OR tag=retrieve OR tag=print). As I am using the 'printer_msg' field in my search string I have decided to allocate two different groups of tags for 'message' and 'printer_msg' fields.

alt text

As seen in the example above, I only added action word tags to the 'printer_msg' field whereas I added both action word and job destination tags to the 'message' field.

I used the following search string to filter out my tags specifically such that I only get the action word tags in my search and not the job destination tags:
index="printerlinuxlog" printer_msg="job notification completion" OR (tag::printer_msg=save OR tag::printer_msg=send OR tag::printer_msg=receive OR tag::printer_msg=retrieve OR tag::printer_msg=fax OR tag::printer_msg=copy OR tag::printer_msg=print OR tag::printer_msg=email)
AND (tag!=usb AND tag!=sharepoint AND tag!=archive AND tag!=forwarding AND tag!=http AND tag!=network_folder )
| rename tag AS "job action"
| stats count by "job action"
All job destination tags were excluded successfully except for one tag: device_memory. As seen from the sample image I have already added the 'device_memory' tag to 'message' field and did the same for the other messages that I have. All other job destination tags got excluded with the same way I used to exclude them as can be seen from the search string above. When I tried to add in 'AND tag!=device_memory', the action word tags 'save' and 'retrieve' would get excluded from the search as well together with the 'device_memory' tag. I do not know what went wrong as I grouped my tags the same way as I did with my other messages and all of them got extracted the way I wanted it, except when I tried to exclude 'device_memory'.

view more tags got excldued wrongly.jpg

There were a total of 8 action word tags plus 1 job destination tag (device_memory) before 'AND tag!=device_memory' was added into the search. Upon adding that the 'save' and 'retrieve' tags got excluded.

Tags (1)
Preview file
1 KB
Preview file
1 KB
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...