Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Need a help with splunk query

jagan_vannala
Observer
‎08-29-2024 02:49 AM

HI Team,

When i am trying to exclude one field by inserting condition sessionId!=X its not working . even though I used "NOT" condition but the field which i am trying to exclude is still showing in results. could you please help how i can exclude  particular field

host="*"  sessionId!=X 

host="*" NOT sessionId!=X 

Labels (1)
Labels
0 Karma
Reply

jagan_vannala
Observer
‎08-29-2024 03:28 AM

If I want to exclude multiple fields by using NOT condition how can to use NOT query

 

NOT sessionId=X AND groupID=Y

Is this works? please suggest

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-29-2024 03:34 AM

Hi @jagan_vannala ,

use parenthesis:

NOT (sessionId=X groupID=Y)

and the AND boolean operator isn't required.

if you have these doubt, I hint to follow the Splink Search Tutorial, that explain how to create your searches: https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchTutorial/WelcometotheSearchTutorial

Ciao.

Giuseppe

0 Karma
Reply

PaulPanther
Motivator
‎08-29-2024 02:55 AM

If you only wanna see events that do not contain the field sessionId You must search as follows

 

host="*" NOT sessionId

  

0 Karma
Reply

jagan_vannala
Observer
‎08-29-2024 03:01 AM

Hi ,

 

I would like to exclude particular session under multiple session ID's

 

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-29-2024 03:06 AM

Hi @jagan_vannala ,

sorry but it isn't still clear:

to exclude particular sessionId, choose the ones to exclude and put them in a condition

| search NOT sessionId IN (cond1, cond1, cond3)

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-29-2024 02:54 AM

Hi @jagan_vannala ,

maybe it's a mistyping, but in the solution with NOT you don't need to add !, in other words:

host="*" NOT sessionId=X

Anyway, your two searchs has different results because with sessionId!=X you tale all the logs where the filed sessionId is present and hasn't the value "X",

instead with NOT sessionId=X you have all the events except the ones with sessionId=X , even if the sessionId field isn't present.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...