Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to exclude particular values?

karthi2809
Builder
‎04-26-2024 04:28 AM

Hi All,

How to exclude particular values of fields in this query.In my scenario if message having "file not found" so i dont want to show the transactions. below is the query i tried to exclude.

 

index=mulesoft environment=*   applicationName IN ("processor","api")|where message!="No files found for*"
| stats values(content.InterfaceName) as InterfaceName  values(content.Error) as error values(message) as message values(priority) as  priority min(timestamp) AS Logon_Time, max(timestamp) AS Logoff_Time BY  applicationName,correlationId
| table  Status InterfaceName applicationName Timestamp "Total Elapsed Time"  FileList "SuccessFile/FailureFile" Response  correlationId 
| search  InterfaceName IN ("Test")
And i tried 
| search NOT message IN ("No files found for*")

 

 

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-26-2024 05:02 AM

The where command does not handle wildcards.  Instead, use the search command.

The values function produces multi-value fields, which require special handling.

Try  this query.

index=mulesoft environment=* applicationName IN ("processor","api") message!="No files found for*"
| stats values(content.InterfaceName) as InterfaceName  values(content.Error) as error values(message) as message values(priority) as  priority min(timestamp) AS Logon_Time, max(timestamp) AS Logoff_Time BY  applicationName,correlationId
| where isnotnull(mvfind(InterfaceName, "Test"))
| table Status InterfaceName applicationName Timestamp "Total Elapsed Time" FileList "SuccessFile/FailureFile" Response correlationId

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

karthi2809
Builder
‎04-26-2024 05:52 AM

Actually i am using multiple values in interfacename.And mvfind is not for interfacename .

| search InterfaceName IN (
"ABC",
"ABCD",
"COP")

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-26-2024 06:10 AM

I don't understand what is meant by "mvfind is not for interfacename".  The mvfind function can be used with any multi-value field (InterfaceName is multi-valued since it is created by the values function).

The mvfind function can be used with multiple values in a regular expression.

 

| where isnotnull(mvfind(InterfaceName("ABC|ABCD|COP"))

 

---
If this reply helps you, Karma would be appreciated.
Reply

karthi2809
Builder
‎04-26-2024 06:17 AM

I just want to exclude the message contains "No files found" .If the keywords contains No files found .We dont to want to show the particular transactions.Saerch command which is used in last for the values from dropdown from dashboard values .So i used search interfacename in last.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-26-2024 06:51 AM

The "no file found" message is excluded in the base search.

index=mulesoft environment=* applicationName IN ("processor","api") message!="No files found for*"
---
If this reply helps you, Karma would be appreciated.
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

New: Search and Personalization just got a major upgrade!

Hello Splunkers,  We’re excited to share two big upgrades coming to community.splunk.com today. These changes ...

Tech Talk | AI-Powered Data Management

  Now On-Demand   Join our Splunk experts for an exclusive Tech Talk as we explore the Cisco Data Fabric ...

GA: Detection Studio and Exposure Analytics in Enterprise Security (ES) 8.5

In this latest release of Enterprise Security (ES), we are excited to announce that  Detection ...