Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it possible to use | format to get !=?

fredclown
Builder
‎06-05-2023 01:28 PM

I have a search and in the initial part of the search I have a subquery that returns some IP addresses formatted like this using the | format command.

 

(ip="10.10.10.10 OR ip="1.1.1.1" OR ip="2.2.2.2")

 

I have a different search where I want to negate it. Is there a way to do this? I know that the format command does allow you to do things like this ...

 

(NOT ip="10.10.10.10 NOT ip="1.1.1.1" NOT ip="2.2.2.2")

 

However, NOT ip="value" is not the same as ip!="value" in Splunk land. So, I guess I'm wondering if anyone has a great way in a subquery to pass back the field/value pairs with != rather than =. My hunch is | format can't do it, but maybe there is a different way. Hope that makes sense.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎06-05-2023 01:48 PM

Remember that if your subsearch returns a field called "search", it's returned verbatim to the outer search. So you can craft a search string yourself if the format command isn't sufficient.

Run-anywhere example:

| makeresults count=20
| streamstats count 
| search 
[| makeresults count=10 
| streamstats count
| table count
| eval count="count!=".count
| stats values(count) as search
| eval search=mvjoin(search," AND ")]

View solution in original post

Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎06-05-2023 01:48 PM

Remember that if your subsearch returns a field called "search", it's returned verbatim to the outer search. So you can craft a search string yourself if the format command isn't sufficient.

Run-anywhere example:

| makeresults count=20
| streamstats count 
| search 
[| makeresults count=10 
| streamstats count
| table count
| eval count="count!=".count
| stats values(count) as search
| eval search=mvjoin(search," AND ")]
Reply
Solved! Jump to solution

fredclown
Builder
‎06-05-2023 03:28 PM

That is a good option. I think my way would  work as well, but I like the output of something like this better. It looks cleaner.

0 Karma
Reply
Solved! Jump to solution

fredclown
Builder
‎06-05-2023 01:38 PM

After thinking about it more for a bit I think this should work and do the same thing as != for each field/value pair but still allows me to use | format.

| format "ip=* AND (NOT" "" "" "" "NOT" ")"

I think this should give me the same results. Does this look right? 

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...