Splunk Search

How to filter values to remove attributes from a table?

gmartinv
New Member

Hello Splunkers,

I appended two different searches within Splunk. Then I created a table, and now I need to filter the values of the Terminated_List attribute that do not contain the string Terminated. I am using the following search, but the final where is not working properly:

index=employees [search index=employees source="*_Terminated_Employee_*" | stats latest(source) AS source] | dedup Email_Address | fields Email_Address Terminated_List |eval e_Mail=tostring(upper(Email_Address)) | eval Terminated_List="Terminated Employees"

| append [search index=employees [search index=employees source="*Terminated IT Contractor*" | stats latest(source) AS source] | dedup Email | fields Email Terminated_List |eval e_Mail=tostring(upper(Email)) | eval Terminated_List="Terminated Contractors"] 

| table e_Mail Terminated_List | where Terminated_List!="*Terminated*"

Any ideas or suggestions??

Thank you!!

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Unlike search, where does not use * as a wildcard character - it's a literal. You can use where NOT match(Terminated_List, ".*Terminated.*"), but it's simpler to use search "*Terminated*".

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Unlike search, where does not use * as a wildcard character - it's a literal. You can use where NOT match(Terminated_List, ".*Terminated.*"), but it's simpler to use search "*Terminated*".

---
If this reply helps you, Karma would be appreciated.
0 Karma

gmartinv
New Member

Hi there,

Thank you for your response. A have a few questions:

  • The MATCH function is working as expected. However, why do we need to add "." before the "*"?
  • The SEARCH function is not working. I get "No results found"...do you know why?

Thank you again.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

match uses regular expressions. In regular expressions, .* means any character, any number of times.
I don't know why search isn't working.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...

Admin Console: A Single, Unified Interface for All Your Cloud Admin Needs

WATCH NOWJoin us to learn how the admin console can save you time and give you more control over the Splunk® ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...