Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I not show the value I do not want?

mplungjan
Path Finder
‎10-10-2013 10:52 PM

For an apache access log file with an extra field I have created a field extraction myfield - it works great.

I then want to extract all rows where this field is not equal to "-"

So I make a search 

myfield !="-" | top limit=10000 myfield

And I still see "-" in the table

alt text

I even tried

myfield !="-" | top limit=10000 myfield | where myfield != "-"

Nope - still there. Since the vast majority of record have "-", all the rest have tiny colums.

What am I doing wrong and where in the documentation does it tell me what I had to do.

It is a bit like the useother=0

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mplungjan
Path Finder
‎10-11-2013 12:59 AM

Solved!

The extract included the quotes.

myfield!="\"-\""

works!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

mplungjan
Path Finder
‎10-11-2013 12:59 AM

Solved!

The extract included the quotes.

myfield!="\"-\""

works!

0 Karma
Reply
Solved! Jump to solution

mplungjan
Path Finder
‎10-11-2013 12:26 AM

No difference. See update

0 Karma
Reply
Solved! Jump to solution

hRun
Path Finder
‎10-11-2013 12:08 AM

myfield may contain a blank infront of or after the "-", have you tried myfield!="- ", myfield!=" -" or myfield!="*-*", etc.

0 Karma
Reply
Solved! Jump to solution

gfuente
Motivator
‎10-11-2013 12:06 AM

Have you tried this?

search NOT myfield="-" |....

Regards

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎10-11-2013 12:33 AM

In that case all your events have a "myfield" with the value "-". Either that, or you're issuing the search incorrectly. Note that you should not be including the actual "search" word if this is the first command in the search pipeline.

0 Karma
Reply
Solved! Jump to solution

mplungjan
Path Finder
‎10-11-2013 12:17 AM

No results at all

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...