Solved: Re: How can I filter my search if I don't want to ...

sympatiko · ‎07-15-2015

Hi splunkers,

Good day! How can I write a search if I don't want all HOST and PROCESS fields.

Say for example, I don't want:
host=10.10.10.10, process=apache2, mysql, etc..

Thanks

sduff_splunk · ‎07-15-2015

NOT host=10.10.10.10 NOT process=apache2 NOT process=mysql

View solution in original post

sduff_splunk · ‎07-15-2015

NOT host=10.10.10.10 NOT process=apache2 NOT process=mysql

woodcock · ‎07-16-2015

Please also be aware that NOT process=apache2 is NOT the same as process!=apache2. The former keeps events where isnull(process) is TRUE, whereas the latter does not (drops events where isnull(process) is TRUE. This may matter to you.

sympatiko · ‎07-15-2015

You're a God!

MuS · ‎07-15-2015

Just to add something; NOT search should be avoided, especially in regards of search performance and scalability. See the docs about this http://docs.splunk.com/Documentation/Splunk/6.2.4/Search/Writebettersearches#Tips_for_tuning_your_se...

sympatiko · ‎07-15-2015

Thanks for the tips. But no worries I just used it in order to extract a specific details from a data that I uploaded

How can I filter my search if I don't want to return results containing certain field-value pairs?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...