Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Need a help with splunk query

jagan_vannala
Observer
‎08-29-2024 02:49 AM

HI Team,

When i am trying to exclude one field by inserting condition sessionId!=X its not working . even though I used "NOT" condition but the field which i am trying to exclude is still showing in results. could you please help how i can exclude  particular field

host="*"  sessionId!=X 

host="*" NOT sessionId!=X 

Labels (1)
Labels
0 Karma
Reply

jagan_vannala
Observer
‎08-29-2024 03:28 AM

If I want to exclude multiple fields by using NOT condition how can to use NOT query

 

NOT sessionId=X AND groupID=Y

Is this works? please suggest

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-29-2024 03:34 AM

Hi @jagan_vannala ,

use parenthesis:

NOT (sessionId=X groupID=Y)

and the AND boolean operator isn't required.

if you have these doubt, I hint to follow the Splink Search Tutorial, that explain how to create your searches: https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchTutorial/WelcometotheSearchTutorial

Ciao.

Giuseppe

0 Karma
Reply

PaulPanther
Motivator
‎08-29-2024 02:55 AM

If you only wanna see events that do not contain the field sessionId You must search as follows

 

host="*" NOT sessionId

  

0 Karma
Reply

jagan_vannala
Observer
‎08-29-2024 03:01 AM

Hi ,

 

I would like to exclude particular session under multiple session ID's

 

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-29-2024 03:06 AM

Hi @jagan_vannala ,

sorry but it isn't still clear:

to exclude particular sessionId, choose the ones to exclude and put them in a condition

| search NOT sessionId IN (cond1, cond1, cond3)

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-29-2024 02:54 AM

Hi @jagan_vannala ,

maybe it's a mistyping, but in the solution with NOT you don't need to add !, in other words:

host="*" NOT sessionId=X

Anyway, your two searchs has different results because with sessionId!=X you tale all the logs where the filed sessionId is present and hasn't the value "X",

instead with NOT sessionId=X you have all the events except the ones with sessionId=X , even if the sessionId field isn't present.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Application management with Targeted Application Install for Victoria Experience

  Experience a new era of flexibility in managing your Splunk Cloud Platform apps! With Targeted Application ...

Index This | What goes up and never comes down?

January 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Splunkers, Pack Your Bags: Why Cisco Live EMEA is Your Next Big Destination

The Power of Two: Splunk + Cisco at "Ludicrous Scale"   You know Splunk. You know Cisco. But have you seen ...