Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to grep filter search results with does not equal

tbalouch
Path Finder
‎03-10-2014 03:15 PM

Hi Guys,

I want to filter a virus scan log on my nix systems but having and issue creating the alert for the search. I only want it to send the alert if the search does not match 0, which means there was a virus detected. This is what I have so far:

source="/var/log/uvscan.log" | search Possibly Infected:............. 0

How can I change this search to be only show results that don't match search Possibly Infected:............. 0?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎03-10-2014 03:22 PM

It sounds to me like you should take the search tutorial, especially parts 4 and 5 which cover searching. http://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/WelcometotheSearchTutorial

The direct answer to your question is: put a NOT before your search statement. But I see more issues with your search.

First of all, you're telling Splunk to first grab ALL events from the data with source "/var/log/uvscan.log" and THEN start filtering. This is inefficient - while it may work OK with small files, it'll become a performance nightmare with large ones, as Splunk needs to read all those events off disk even though you're only interested in a fraction of them. You should put as much filtering as possible in your base search instead.

Also while you certainly can search for events which do not have the specific string "Possibly Infected:............ 0" a better approach would be to create a field extraction instead, so you can do something like "NOT Possibly_Infected=0".

All in all, the rewritten search with these suggested changes would look something like this:

source="/var/log/uvscan.log" NOT Possibly_Infected=0

Or, if you still don't want to extract the field for some reason, just

source="/var/log/uvscan.log" NOT "Possibly Infected:............. 0"

View solution in original post

Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎03-10-2014 03:22 PM

It sounds to me like you should take the search tutorial, especially parts 4 and 5 which cover searching. http://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/WelcometotheSearchTutorial

The direct answer to your question is: put a NOT before your search statement. But I see more issues with your search.

First of all, you're telling Splunk to first grab ALL events from the data with source "/var/log/uvscan.log" and THEN start filtering. This is inefficient - while it may work OK with small files, it'll become a performance nightmare with large ones, as Splunk needs to read all those events off disk even though you're only interested in a fraction of them. You should put as much filtering as possible in your base search instead.

Also while you certainly can search for events which do not have the specific string "Possibly Infected:............ 0" a better approach would be to create a field extraction instead, so you can do something like "NOT Possibly_Infected=0".

All in all, the rewritten search with these suggested changes would look something like this:

source="/var/log/uvscan.log" NOT Possibly_Infected=0

Or, if you still don't want to extract the field for some reason, just

source="/var/log/uvscan.log" NOT "Possibly Infected:............. 0"
Reply
Solved! Jump to solution

tbalouch
Path Finder
‎03-21-2014 07:23 AM

Thanks this was helpful!

0 Karma
Reply
Solved! Jump to solution

bbiandov
Path Finder
‎07-18-2015 04:20 PM

I figured this and it worked for me: host OP AND eventtype=cisco_ios | search 3C:00:E6:01:8D:02

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...