Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to filter values to remove attributes from a table?

gmartinv
New Member
‎05-18-2020 03:42 PM

Hello Splunkers,

I appended two different searches within Splunk. Then I created a table, and now I need to filter the values of the Terminated_List attribute that do not contain the string Terminated. I am using the following search, but the final where is not working properly:

index=employees [search index=employees source="*_Terminated_Employee_*" | stats latest(source) AS source] | dedup Email_Address | fields Email_Address Terminated_List |eval e_Mail=tostring(upper(Email_Address)) | eval Terminated_List="Terminated Employees"

| append [search index=employees [search index=employees source="*Terminated IT Contractor*" | stats latest(source) AS source] | dedup Email | fields Email Terminated_List |eval e_Mail=tostring(upper(Email)) | eval Terminated_List="Terminated Contractors"] 

| table e_Mail Terminated_List | where Terminated_List!="*Terminated*"

Any ideas or suggestions??

Thank you!!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-18-2020 04:28 PM

Unlike search, where does not use * as a wildcard character - it's a literal. You can use where NOT match(Terminated_List, ".*Terminated.*"), but it's simpler to use search "*Terminated*".

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-18-2020 04:28 PM

Unlike search, where does not use * as a wildcard character - it's a literal. You can use where NOT match(Terminated_List, ".*Terminated.*"), but it's simpler to use search "*Terminated*".

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

gmartinv
New Member
‎05-19-2020 07:31 AM

Hi there,

Thank you for your response. A have a few questions:

  • The MATCH function is working as expected. However, why do we need to add "." before the "*"?
  • The SEARCH function is not working. I get "No results found"...do you know why?

Thank you again.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎05-20-2020 05:36 AM

match uses regular expressions. In regular expressions, .* means any character, any number of times.
I don't know why search isn't working.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...
Top