Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to do the opposite of match()?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thisissplunk
Builder
01-21-2016
11:24 AM
I'm trying to do a DOES NOT match() instead of a match(). http://docs.splunk.com/Documentation/Splunk/6.1/SearchReference/Commonevalfunctions
match(SUBJECT, REGEX)
This function compares the regex string REGEX to the value of SUBJECT and returns a Boolean value; it returns true if the REGEX can find a match against any substring of SUBJECT.
his example returns true IF AND ONLY IF field matches the basic pattern of an IP address. Note that the example uses ^ and $ to perform a full match.
... | eval n=if(match(field, "^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$"), 1, 0)
For instance, I want something like this:
| eval filteredhosts=mvfilter(DoesNotmatch(host, "giraffe")
Instead of this:
| eval filteredhosts=mvfilter(match(host, "giraffe")
I feel like the solution should be obvious but I can't figure it out so far. Anyone?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
javiergn
Super Champion
01-21-2016
11:55 AM
Have you tried this?
| eval filteredhosts=mvfilter(if (NOT match(host, "giraffe"), "", host)
I don't have a Splunk instance here to tests this so it's just a guess.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jacobappleton
Explorer
02-21-2023
08:34 PM
This is an old post, but figured this might help someone out if they're trying to do the same thing.
You can use the not ! operator.
| eval filteredhosts=mvfilter(!match(host, "giraffe"))This works for me.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
haraksin
Path Finder
12-02-2021
05:23 PM
If anyone is coming across this in version 8 of splunk, the expression given by the answer may not work. In this case, use negative lookaheads, which is more reliable:
| eval filteredhosts=mvfilter(match(host, "^(?!giraffe).+$"))- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
javiergn
Super Champion
01-21-2016
11:55 AM
Have you tried this?
| eval filteredhosts=mvfilter(if (NOT match(host, "giraffe"), "", host)
I don't have a Splunk instance here to tests this so it's just a guess.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thisissplunk
Builder
01-21-2016
12:09 PM
Hey thanks. That worked!
Get Updates on the Splunk Community!
Detecting Brute Force Account Takeover Fraud with Splunk
This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...
Buttercup Games: Further Dashboarding Techniques (Part 9)
This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Buttercup Games: Further Dashboarding Techniques (Part 8)
This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
