I'm trying to do a DOES NOT match() instead of a match(). http://docs.splunk.com/Documentation/Splunk/6.1/SearchReference/Commonevalfunctions
match(SUBJECT, REGEX)
This function compares the regex string REGEX to the value of SUBJECT and returns a Boolean value; it returns true if the REGEX can find a match against any substring of SUBJECT.
his example returns true IF AND ONLY IF field matches the basic pattern of an IP address. Note that the example uses ^ and $ to perform a full match.
... | eval n=if(match(field, "^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$"), 1, 0)
For instance, I want something like this:
| eval filteredhosts=mvfilter(DoesNotmatch(host, "giraffe")
Instead of this:
| eval filteredhosts=mvfilter(match(host, "giraffe")
I feel like the solution should be obvious but I can't figure it out so far. Anyone?
Have you tried this?
| eval filteredhosts=mvfilter(if (NOT match(host, "giraffe"), "", host)
I don't have a Splunk instance here to tests this so it's just a guess.
This is an old post, but figured this might help someone out if they're trying to do the same thing.
You can use the not ! operator.
| eval filteredhosts=mvfilter(!match(host, "giraffe"))
This works for me.
If anyone is coming across this in version 8 of splunk, the expression given by the answer may not work. In this case, use negative lookaheads, which is more reliable:
| eval filteredhosts=mvfilter(match(host, "^(?!giraffe).+$"))
Have you tried this?
| eval filteredhosts=mvfilter(if (NOT match(host, "giraffe"), "", host)
I don't have a Splunk instance here to tests this so it's just a guess.
Hey thanks. That worked!