Splunk Search

How to do the opposite of match()?

thisissplunk
Builder

I'm trying to do a DOES NOT match() instead of a match(). http://docs.splunk.com/Documentation/Splunk/6.1/SearchReference/Commonevalfunctions

match(SUBJECT, REGEX)

This function compares the regex string REGEX to the value of SUBJECT and returns a Boolean value; it returns true if the REGEX can find a match against any substring of SUBJECT.

his example returns true IF AND ONLY IF field matches the basic pattern of an IP address. Note that the example uses ^ and $ to perform a full match.
... | eval n=if(match(field, "^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$"), 1, 0)

For instance, I want something like this:

| eval filteredhosts=mvfilter(DoesNotmatch(host, "giraffe")

Instead of this:

| eval filteredhosts=mvfilter(match(host, "giraffe")

I feel like the solution should be obvious but I can't figure it out so far. Anyone?

Tags (3)
1 Solution

javiergn
SplunkTrust
SplunkTrust

Have you tried this?

| eval filteredhosts=mvfilter(if (NOT match(host, "giraffe"), "", host)

I don't have a Splunk instance here to tests this so it's just a guess.

View solution in original post

javiergn
SplunkTrust
SplunkTrust

Have you tried this?

| eval filteredhosts=mvfilter(if (NOT match(host, "giraffe"), "", host)

I don't have a Splunk instance here to tests this so it's just a guess.

View solution in original post

thisissplunk
Builder

Hey thanks. That worked!

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!