Splunk Search

Is there a way to use regex on a standalone string to pull out each value, then append "field!=" to the front to exclude these values from a search?

jlosee
Path Finder

I have a large list of values for a field that I would like to exclude from my search. Rather than having a huge search with:

field!=value1
field!=value2
field!=value3
...

is there a way to use regex to pull out each value and append field!= to the front? As far as I can tell, Splunk can only use regex when parsing the entries themselves, not a standalone string.

Thanks!

0 Karma
1 Solution

somesoni2
Revered Legend

Are you planning to do something like this (this subsearch will take a stand alon, comma separated string, and format it as an giant OR condition), a sample run anywhere query

index=_internal  NOT [| gentimes start=-1 | eval sourcetype="splunk_web_access,splunkd_access,splunk_web_service" | makemv sourcetype delim="," | stats count by sourcetype | table sourcetype | format]  | stats count by sourcetype

This will remove all the events belongs to any of the sourcetype from splunk_web_access,splunkd_access,splunk_web_service.

View solution in original post

mreynov_splunk
Splunk Employee
Splunk Employee

you can use eval to set a variable with the value of your string and then apply anything to it as if it is event data.

0 Karma

jlosee
Path Finder

Thanks mreynov!

So if I have

eval newField= "field!= value1 field!=value2 field!=value3...."

Would I be able to use rex or something else to have Splunk exclude those values?

I'm also trying out somesoni2's method.

0 Karma

somesoni2
Revered Legend

Are you planning to do something like this (this subsearch will take a stand alon, comma separated string, and format it as an giant OR condition), a sample run anywhere query

index=_internal  NOT [| gentimes start=-1 | eval sourcetype="splunk_web_access,splunkd_access,splunk_web_service" | makemv sourcetype delim="," | stats count by sourcetype | table sourcetype | format]  | stats count by sourcetype

This will remove all the events belongs to any of the sourcetype from splunk_web_access,splunkd_access,splunk_web_service.

jlosee
Path Finder

Not quite. Basically, I will have a list in an outside excel/word doc that I would want to copy & paste into a search and exclude those from the results. The plan is to do this in a macro for easier readability and modification when I want to use this list. Would makemv be able to help with that?

Thanks for the quick response!

0 Karma

somesoni2
Revered Legend

If you copy past from the Excel/Word table into the search directly, is the values coming with line feed. Something like this...

index=_internal NOT [| gentimes start=-1 | eval sourcetype="splunk_web_access
splunkd_access
splunk_web_service
" | eval sourcetype=replace(sourcetype,"\n",",") | makemv sourcetype delim="," | stats count by sourcetype | table sourcetype] | stats count by sourcetype
0 Karma

jlosee
Path Finder

If I understand your question, then yes I believe each entry will be on its own line.

0 Karma

somesoni2
Revered Legend

So will the format in which I wrote the thing for _internal data, works for your query? Try to run them in search bar first, if works fine, you saved the subsearch as macro and use the macro there

0 Karma

jlosee
Path Finder

In your new example, it looks like the results still include the three sourcetypes you listed (but I think the original example works right).

I tried using your format with my code but the values I specify still show up in the results.

0 Karma

jlosee
Path Finder

Ah I stand corrected--I left out the gentimes start=-1 because I thought that was specific to your example!

So after some testing it looks like it does what I want it to do! I basically just used my code with your structure and it works great.

I read up on gentimes but I still have a question: why was it necessary for this query to run correctly?

Thanks again!

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...