Hello Splunkers,
I appended two different searches within Splunk. Then I created a table, and now I need to filter the values of the Terminated_List
attribute that do not contain the string Terminated
. I am using the following search, but the final where
is not working properly:
index=employees [search index=employees source="*_Terminated_Employee_*" | stats latest(source) AS source] | dedup Email_Address | fields Email_Address Terminated_List |eval e_Mail=tostring(upper(Email_Address)) | eval Terminated_List="Terminated Employees"
| append [search index=employees [search index=employees source="*Terminated IT Contractor*" | stats latest(source) AS source] | dedup Email | fields Email Terminated_List |eval e_Mail=tostring(upper(Email)) | eval Terminated_List="Terminated Contractors"]
| table e_Mail Terminated_List | where Terminated_List!="*Terminated*"
Any ideas or suggestions??
Thank you!!
Unlike search
, where
does not use *
as a wildcard character - it's a literal. You can use where NOT match(Terminated_List, ".*Terminated.*")
, but it's simpler to use search "*Terminated*"
.
Unlike search
, where
does not use *
as a wildcard character - it's a literal. You can use where NOT match(Terminated_List, ".*Terminated.*")
, but it's simpler to use search "*Terminated*"
.
Hi there,
Thank you for your response. A have a few questions:
Thank you again.
match
uses regular expressions. In regular expressions, .*
means any character, any number of times.
I don't know why search
isn't working.