Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to drop certain username from search?

splunknewbie81
Engager
‎03-24-2022 05:40 PM

Hi Guys, 

I am trying to do a search and also at the same time drop certain information from showing up.

As seen from the table below  , there is this user [ghjkl-hh123-wer56] that shows up. 

Can I know what must I do from the search string such that usernames like the above no longer show up?

Please advise.

username hostname
user1 host1
user2 host2
ghjkl-hh123-wer56 host3
ghjkl-hh123-wer56 host4
user3 host4


Hope this clarifies

Thank You

regards,
Alex

Labels (2)
Labels
Tags (1)
0 Karma
Reply

SanjayReddy
SplunkTrust
SplunkTrust
‎03-24-2022 06:59 PM

Hi @splunknewbie81 

You can exclude specific username from search using 

username!="ghjkl-hh123-wer56"

Or exclude  usernames  starting with ghjkl

Use username!="ghjkl*"

Exclude multiple usernames use

NOT username IN  ("user1" ,"user2")

0 Karma
Reply

splunknewbie81
Engager
‎03-28-2022 08:47 PM

I don't really understand. Can you show me a example please?

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-28-2022 11:13 PM

Let's assume you have events with two different fields - A and B

AB
11
22
33
1 
21
32
13
2 
3

1

 

Now if you want to search for

A!=1

will give you the same results as

NOT A=1

because the field A has some value in every event.

But if you search for

B!=1

you will only get events which have a value in B field and that value is different than 1.

So you'll only get as results only those events that have B=2 or B=3.

But if you search for

NOT B=1

you will get as results all those events in which the B=1 condition is not fulfilled which means that either B=2, B=3 or there is no value for field B at all.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-25-2022 03:10 AM

Just beware that

field!=value

does not have the same meaning as

NOT field=value

The first one will match only if there is a field called "field" within an event and its value is not "value".

The second one will match any event in which there is no field called "field" with value "value", which means it will also match events in which there is no field called "field" whatsoever. The first one wouldn't match those events.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...