Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do I search to exclude logs with extensions?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I search to exclude logs with extensions?
Hi,
In my data, I have API calls with several extensions like (.html, .com, .php and many more). I am trying to exclude the logs that have these extensions. I tried the below.
index=abc NOT (api_call=".html." OR api_call=".php")
But, I don't want to use NOT since there are many extensions that will come in the future.
Can anyone help?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @sravani27,
As you don't want to use the NOT boolean expression to filter out the extensions, I have a suggestion how you can achieve your goal.
I would go for a lookup table that looks like this:
file_extensions.csv
extension,exclude
html,1
com,1
php,1
Upload that lookup to your system and add a lookup definition so you can use it in your search.
Then go ahead and write a search like this:
index=abc api_call=*
| rex field=api_call "(?<extracted_file_extension>[^\.]+?$)"
| inputlookup file_extensions extension AS extracted_file_extension OUTPUT exclude
| where isnull(exclude)
With that query you should be able to exclude all the unwanted extension types. And if you need to exclude more extensions in the future just add them to your csv.
Hope this helps 😃
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@sravani27,
if you found my solution helpful and it worked for you please accept the answer.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can extract the extension into a field and base your query on this field.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
if the field api_call has only extensions, yow can do: index=abc NOT api_call=*
if the field api_call has the file and extension you do: index=abc NOT api_call=.*
let us know if any of the above works for you as there are other ways to accomplish.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
