Splunk Search

How to filter values to remove attributes from a table?

gmartinv
New Member

Hello Splunkers,

I appended two different searches within Splunk. Then I created a table, and now I need to filter the values of the Terminated_List attribute that do not contain the string Terminated. I am using the following search, but the final where is not working properly:

index=employees [search index=employees source="*_Terminated_Employee_*" | stats latest(source) AS source] | dedup Email_Address | fields Email_Address Terminated_List |eval e_Mail=tostring(upper(Email_Address)) | eval Terminated_List="Terminated Employees"

| append [search index=employees [search index=employees source="*Terminated IT Contractor*" | stats latest(source) AS source] | dedup Email | fields Email Terminated_List |eval e_Mail=tostring(upper(Email)) | eval Terminated_List="Terminated Contractors"] 

| table e_Mail Terminated_List | where Terminated_List!="*Terminated*"

Any ideas or suggestions??

Thank you!!

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Unlike search, where does not use * as a wildcard character - it's a literal. You can use where NOT match(Terminated_List, ".*Terminated.*"), but it's simpler to use search "*Terminated*".

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Unlike search, where does not use * as a wildcard character - it's a literal. You can use where NOT match(Terminated_List, ".*Terminated.*"), but it's simpler to use search "*Terminated*".

---
If this reply helps you, Karma would be appreciated.
0 Karma

gmartinv
New Member

Hi there,

Thank you for your response. A have a few questions:

  • The MATCH function is working as expected. However, why do we need to add "." before the "*"?
  • The SEARCH function is not working. I get "No results found"...do you know why?

Thank you again.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

match uses regular expressions. In regular expressions, .* means any character, any number of times.
I don't know why search isn't working.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...