Solved: How to search not equal with multivalued?

Rithekakan · ‎02-22-2022

host="SPL-SH-DC" sourcetype="csv" source="****"
Severity!="Info"
Severity!="low"
Plugin_Name!="SSL Certificate with Wrong Hostname"
Plugin_Name!="Unix Operating System Unsupported Version Detection"
Plugin_Name!="SSL Self-Signed Certificate"
Plugin_Name!="SSL Certificate Cannot Be Trusted"
Port!="8089"
Port!="6502"
| table IP_Address,device_name,Plugin_Name, Severity,model, Protocol, Port, Exploit, Synopsis, Description, Solution, See_Also, CVSS_V2_Base_Score, CVE,Plugin

Thanks for your help!

ITWhisperer · ‎02-23-2022

NOT Plugin_Name IN (A,B,C,D)

View solution in original post

Rithekakan · ‎02-22-2022

The search result is correct. How ever I am looking for a short way writing not equal for the same fields and different values.
Plugin_Name!="A"
Plugin_Name!="B"
Plugin_Name!="C"
Plugin_Name!="D"

I've tried this but it not working.

Plugin_Name !IN (A,B,C,D)

Regards,

Rithekakan

ITWhisperer · ‎02-23-2022

NOT Plugin_Name IN (A,B,C,D)

Rithekakan · ‎02-23-2022

Hi ITWhisperer,

I got it now. Thanks for your help.

Regards,

Rithekakan

ITWhisperer · ‎02-22-2022

What you have will search for events which are not equal to the values you are trying to exclude. What else are you asking for?

How to search not equal with multivalued?

fields

other

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

Alerting Best Practices: How to Create Good Detectors

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...