Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to drop certain username from search?

splunknewbie81
Engager
‎03-24-2022 05:40 PM

Hi Guys, 

I am trying to do a search and also at the same time drop certain information from showing up.

As seen from the table below  , there is this user [ghjkl-hh123-wer56] that shows up. 

Can I know what must I do from the search string such that usernames like the above no longer show up?

Please advise.

username hostname
user1 host1
user2 host2
ghjkl-hh123-wer56 host3
ghjkl-hh123-wer56 host4
user3 host4


Hope this clarifies

Thank You

regards,
Alex

Labels (2)
Labels
Tags (1)
0 Karma
Reply

SanjayReddy
SplunkTrust
SplunkTrust
‎03-24-2022 06:59 PM

Hi @splunknewbie81 

You can exclude specific username from search using 

username!="ghjkl-hh123-wer56"

Or exclude  usernames  starting with ghjkl

Use username!="ghjkl*"

Exclude multiple usernames use

NOT username IN  ("user1" ,"user2")

0 Karma
Reply

splunknewbie81
Engager
‎03-28-2022 08:47 PM

I don't really understand. Can you show me a example please?

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-28-2022 11:13 PM

Let's assume you have events with two different fields - A and B

AB
11
22
33
1 
21
32
13
2 
3

1

 

Now if you want to search for

A!=1

will give you the same results as

NOT A=1

because the field A has some value in every event.

But if you search for

B!=1

you will only get events which have a value in B field and that value is different than 1.

So you'll only get as results only those events that have B=2 or B=3.

But if you search for

NOT B=1

you will get as results all those events in which the B=1 condition is not fulfilled which means that either B=2, B=3 or there is no value for field B at all.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-25-2022 03:10 AM

Just beware that

field!=value

does not have the same meaning as

NOT field=value

The first one will match only if there is a field called "field" within an event and its value is not "value".

The second one will match any event in which there is no field called "field" with value "value", which means it will also match events in which there is no field called "field" whatsoever. The first one wouldn't match those events.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...