Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use "where" and "not in" and "like" in one query?

JyotiP
Path Finder
‎09-13-2017 02:03 AM

I have the following query :
sourcetype="docker" AppDomain=Eos Level=INFO Message="Eos request calculated" | eval Val_Request_Data_Fetch_RefData=Round((Eos_Request_Data_Fetch_MarketData/1000),1)

Which have 3 host like perf, castle, local.

I want to use the above query bust excluding host like castle and local

sourcetype="docker" AppDomain=Eos Level=INFO Message="Eos request calculated" | eval Val_Request_Data_Fetch_RefData=Round((Eos_Request_Data_Fetch_MarketData/1000),1) | where host NOT like 'castle' AND 'local' ??
Will it work

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

HiroshiSatoh
Champion
‎09-13-2017 02:41 AM

Try this!

sourcetype="docker" AppDomain=Eos Level=INFO Message="Eos request calculated" NOT (host='castle' OR  host='local')

This is also possible.

NOT (host='*castle*' OR  host='*local*')

View solution in original post

Reply
Solved! Jump to solution

cmerriman
Super Champion
‎09-13-2017 04:37 AM

to wildcard NOT, you can do like what @HiroshiSatoh mentioned and go with 

sourcetype="docker" AppDomain=Eos Level=INFO Message="Eos request calculated" NOT (host=*castle* OR  host=*local* OR host=*perf*)| eval Val_Request_Data_Fetch_RefData=Round((Eos_Request_Data_Fetch_MarketData/1000),1)

which will remove the hosts that contain perf, castle, or local from the base search
or if you need to remove it later on in the search, after doing evals/stats with it, perhaps, using where and like would be like this:

...|where NOT like(host,"%perf%") AND NOT like(host,"%castle%") AND NOT like(host,"%local%")
Reply
Solved! Jump to solution
Solution

HiroshiSatoh
Champion
‎09-13-2017 02:41 AM

Try this!

sourcetype="docker" AppDomain=Eos Level=INFO Message="Eos request calculated" NOT (host='castle' OR  host='local')

This is also possible.

NOT (host='*castle*' OR  host='*local*')
Reply
Solved! Jump to solution

abbasimani
Engager
‎11-16-2022 09:47 PM

You can also use: 

 

NOT (host IN (*castle*,*local*))

 

So full query will be something like this: 

sourcetype="docker" AppDomain=Eos Level=INFO Message="Eos request calculated" NOT (host IN (*castle*,*local*))
Tags (1)
Reply
Get Updates on the Splunk Community!

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...