Thanks mreynov!

So if I have

eval newField= "field!= value1 field!=value2 field!=value3...."

Would I be able to use rex or something else to have Splunk exclude those values?

I'm also trying out somesoni2's method.

Not quite. Basically, I will have a list in an outside excel/word doc that I would want to copy & paste into a search and exclude those from the results. The plan is to do this in a macro for easier readability and modification when I want to use this list. Would makemv be able to help with that?

Thanks for the quick response!

If you copy past from the Excel/Word table into the search directly, is the values coming with line feed. Something like this...

index=_internal NOT [| gentimes start=-1 | eval sourcetype="splunk_web_access
splunkd_access
splunk_web_service
" | eval sourcetype=replace(sourcetype,"\n",",") | makemv sourcetype delim="," | stats count by sourcetype | table sourcetype] | stats count by sourcetype

If I understand your question, then yes I believe each entry will be on its own line.

So will the format in which I wrote the thing for _internal data, works for your query? Try to run them in search bar first, if works fine, you saved the subsearch as macro and use the macro there

In your new example, it looks like the results still include the three sourcetypes you listed (but I think the original example works right).

I tried using your format with my code but the values I specify still show up in the results.

Ah I stand corrected--I left out the gentimes start=-1 because I thought that was specific to your example!

So after some testing it looks like it does what I want it to do! I basically just used my code with your structure and it works great.

I read up on gentimes but I still have a question: why was it necessary for this query to run correctly?

Thanks again!