- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to do the opposite of match()?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm trying to do a DOES NOT match() instead of a match(). http://docs.splunk.com/Documentation/Splunk/6.1/SearchReference/Commonevalfunctions
match(SUBJECT, REGEX)
This function compares the regex string REGEX to the value of SUBJECT and returns a Boolean value; it returns true if the REGEX can find a match against any substring of SUBJECT.
his example returns true IF AND ONLY IF field matches the basic pattern of an IP address. Note that the example uses ^ and $ to perform a full match.
... | eval n=if(match(field, "^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$"), 1, 0)
For instance, I want something like this:
| eval filteredhosts=mvfilter(DoesNotmatch(host, "giraffe")
Instead of this:
| eval filteredhosts=mvfilter(match(host, "giraffe")
I feel like the solution should be obvious but I can't figure it out so far. Anyone?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you tried this?
| eval filteredhosts=mvfilter(if (NOT match(host, "giraffe"), "", host)
I don't have a Splunk instance here to tests this so it's just a guess.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is an old post, but figured this might help someone out if they're trying to do the same thing.
You can use the not ! operator.
| eval filteredhosts=mvfilter(!match(host, "giraffe"))This works for me.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If anyone is coming across this in version 8 of splunk, the expression given by the answer may not work. In this case, use negative lookaheads, which is more reliable:
| eval filteredhosts=mvfilter(match(host, "^(?!giraffe).+$"))- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you tried this?
| eval filteredhosts=mvfilter(if (NOT match(host, "giraffe"), "", host)
I don't have a Splunk instance here to tests this so it's just a guess.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey thanks. That worked!
Introducing the Splunk Community Dashboard Challenge!
Wondering How to Build Resiliency in the Cloud?
Updated Data Management and AWS GDI Inventory in Splunk Observability
