How can I filter all events to exclude this string...

POR160893 · ‎04-11-2022

Hi,

I have an index of log events and I have been asked to exclude all events with a certain string in it. The String I need to omit is drminprtmgmt.isus.emc.com. This string (which represents a device) is not mapped to any field currently. How can I filter all events to exclude this string?

This is currently what I have (which does NOT work):

Many thanks,
Patrick

gcusello · ‎04-11-2022

Hi @POR160893,

as @PickleRick said, you have to use the search command or (better) put the string to exclude in the main search, something like this:

index=ironport sourcetype=cisco:wsa:squid NOT drminprtmgmt.isus.emc.com

Ciao.

Giuseppe

POR160893 · ‎04-11-2022

This worked perfectly, thanks! 😁

gcusello · ‎04-11-2022

Hi @POR160893 ,

good for you, if this answer solves your need, please accept it or the other people of Community, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

PickleRick · ‎04-11-2022

Don't use the "where" command - it's meant for boolean-evaluating conditions. Use the "search" command.

How can I filter all events to exclude this string?

regex

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation