Splunk Search

How to do the opposite of match()?

thisissplunk
Builder

I'm trying to do a DOES NOT match() instead of a match(). http://docs.splunk.com/Documentation/Splunk/6.1/SearchReference/Commonevalfunctions

match(SUBJECT, REGEX)

This function compares the regex string REGEX to the value of SUBJECT and returns a Boolean value; it returns true if the REGEX can find a match against any substring of SUBJECT.

his example returns true IF AND ONLY IF field matches the basic pattern of an IP address. Note that the example uses ^ and $ to perform a full match.
... | eval n=if(match(field, "^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$"), 1, 0)

For instance, I want something like this:

| eval filteredhosts=mvfilter(DoesNotmatch(host, "giraffe")

Instead of this:

| eval filteredhosts=mvfilter(match(host, "giraffe")

I feel like the solution should be obvious but I can't figure it out so far. Anyone?

Tags (3)
1 Solution

javiergn
SplunkTrust
SplunkTrust

Have you tried this?

| eval filteredhosts=mvfilter(if (NOT match(host, "giraffe"), "", host)

I don't have a Splunk instance here to tests this so it's just a guess.

View solution in original post

haraksin
Path Finder

If anyone is coming across this in version 8 of splunk, the expression given by the answer may not work. In this case, use negative lookaheads, which is more reliable:

| eval filteredhosts=mvfilter(match(host, "^(?!giraffe).+$"))
0 Karma

javiergn
SplunkTrust
SplunkTrust

Have you tried this?

| eval filteredhosts=mvfilter(if (NOT match(host, "giraffe"), "", host)

I don't have a Splunk instance here to tests this so it's just a guess.

thisissplunk
Builder

Hey thanks. That worked!

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...