Re: Negative substring matching against simple str...

nicklbailey · ‎03-15-2016

First, I am completely new to Splunk and the extent of my expertise with the query language is dumb wildcard matching and boolean combinations. I'm more than happy to learn more, but you're going to have to explain it assuming minimal knowledge. More than happy to rtfm, if someone could point me to the part of the manual I should be reading (all of it is not a good answer).

So actual question:
I want to exclude all events where one of the fields contains a substring of the following form: "string-one":"string-two", where string-one and string-two are particular strings of interest. So for example I'd like to match

field: blah blah blah "foo":"bar"

But not

field: blah blah blah "string-one":"string-two"

As an additional note, this is only one filter in a long list of conditions in the query
I've tried a simple :
Field NOT ("*\string-one\":\"string-two\"*")

But it isn't working as I expect

richgalloway · ‎03-15-2016

There's an extra escape character in your search string. Try Field NOT ("*string-one\":\"string-two\"*") or Field NOT ('*string-one":"string-two"*'). If those fail, try ... | where NOT like(field, '%string-one":"string-two"%') | ....

---
If this reply helps you, Karma would be appreciated.

Negative substring matching against simple string

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!

Introducing the Splunk Community Dashboard Challenge!