Splunk Search

How do I filter results based on approximately 115 partial values of a field?

Explorer

I have a list large list of products. I need to search the list but filtering out some results based on the partial values of the ProdDesc field. Examples of ProdDesc would be something like : MD5864,WINDOWS,PROC1 or MA9874,ANDROID,PROC3, etc.

I can use ProdDesc != \*5864\* and ProdDesc != \*ANDROID\*.... The problem is that the list of partial results has 112 items. When I add ProdDesc != \*[partial value]\* more than 26 times, the query returns no result at all. There seems to be a limitation of how many times I can use !=\*[partial value]\*.

I'm using Splunk Enterprise version 6.5.3 and I'm an end user, not an Admin.

I wold appreciate any help provided. Thank you.

0 Karma
1 Solution

Explorer

Hello, somesoni2

Thank you very much for your reply. It is much appreciated.
Your suggestion didn't work exactly as required but it was on the right track.
I ended up having to use:

NOT(ProdDesc = *2213*) AND
NOT(ProdDesc = *AURORA*) AND
NOT(ProdDesc = *BURG*), and so on.

This worked great.
Thanks again.

View solution in original post

0 Karma

Explorer

Hello, somesoni2

Thank you very much for your reply. It is much appreciated.
Your suggestion didn't work exactly as required but it was on the right track.
I ended up having to use:

NOT(ProdDesc = *2213*) AND
NOT(ProdDesc = *AURORA*) AND
NOT(ProdDesc = *BURG*), and so on.

This worked great.
Thanks again.

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Can you try try NOT (ProdDesc=*5864* OR ProdDesc=*ANDROID* OR ...) instead?

0 Karma