Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to exclude particular values?

karthi2809
Builder
‎04-26-2024 04:28 AM

Hi All,

How to exclude particular values of fields in this query.In my scenario if message having "file not found" so i dont want to show the transactions. below is the query i tried to exclude.

 

index=mulesoft environment=*   applicationName IN ("processor","api")|where message!="No files found for*"
| stats values(content.InterfaceName) as InterfaceName  values(content.Error) as error values(message) as message values(priority) as  priority min(timestamp) AS Logon_Time, max(timestamp) AS Logoff_Time BY  applicationName,correlationId
| table  Status InterfaceName applicationName Timestamp "Total Elapsed Time"  FileList "SuccessFile/FailureFile" Response  correlationId 
| search  InterfaceName IN ("Test")
And i tried 
| search NOT message IN ("No files found for*")

 

 

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-26-2024 05:02 AM

The where command does not handle wildcards.  Instead, use the search command.

The values function produces multi-value fields, which require special handling.

Try  this query.

index=mulesoft environment=* applicationName IN ("processor","api") message!="No files found for*"
| stats values(content.InterfaceName) as InterfaceName  values(content.Error) as error values(message) as message values(priority) as  priority min(timestamp) AS Logon_Time, max(timestamp) AS Logoff_Time BY  applicationName,correlationId
| where isnotnull(mvfind(InterfaceName, "Test"))
| table Status InterfaceName applicationName Timestamp "Total Elapsed Time" FileList "SuccessFile/FailureFile" Response correlationId

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

karthi2809
Builder
‎04-26-2024 05:52 AM

Actually i am using multiple values in interfacename.And mvfind is not for interfacename .

| search InterfaceName IN (
"ABC",
"ABCD",
"COP")

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-26-2024 06:10 AM

I don't understand what is meant by "mvfind is not for interfacename".  The mvfind function can be used with any multi-value field (InterfaceName is multi-valued since it is created by the values function).

The mvfind function can be used with multiple values in a regular expression.

 

| where isnotnull(mvfind(InterfaceName("ABC|ABCD|COP"))

 

---
If this reply helps you, Karma would be appreciated.
Reply

karthi2809
Builder
‎04-26-2024 06:17 AM

I just want to exclude the message contains "No files found" .If the keywords contains No files found .We dont to want to show the particular transactions.Saerch command which is used in last for the values from dropdown from dashboard values .So i used search interfacename in last.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-26-2024 06:51 AM

The "no file found" message is excluded in the base search.

index=mulesoft environment=* applicationName IN ("processor","api") message!="No files found for*"
---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Index This | What goes away as soon as you talk about it?

May 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...

What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025

This month, we’re delivering several new innovations in Splunk Observability Cloud and Splunk AppDynamics ...
Top