Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Search for a field not containing a specific pattern.

tdismukes
Engager
‎07-31-2014 01:34 PM

I have two indexed fields, FieldX and FieldY. I want to search for all instances of FieldX that contain 'ABC' where FieldY does not contain '123'. I assume the format would start something like:

FieldX=ABC AND FieldY

but I don't know how to finish that. Would someone please help me out?

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎07-31-2014 01:43 PM

Try something like this

FieldX="*ABC*" NOT FieldY="*123*"

View solution in original post

Reply
Solved! Jump to solution

Nayra_bakshi
Engager
‎07-02-2022 02:44 AM

what to refer to if want to search on the whole payload/Raw logs, not in a particular field?

 

 

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎07-31-2014 01:43 PM

Try something like this

FieldX="*ABC*" NOT FieldY="*123*"
Reply
Solved! Jump to solution

Nayra_bakshi
Engager
‎07-02-2022 02:45 AM

What to refer if on whole payload without any fields ?

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎07-02-2022 03:54 AM

Firstly, let me point out that you're trying to resurrect an 8 year old thread. Next time, start a new one with your question - you'll get better chance of reply.

Back to your question - if you want to find all events which don't contain the string "abc" _anywhere_ within the raw event, simply search for

NOT *abc*

Having said that - it's not the best way to search. If you search for something containing wildcard at the beginning of the search term (either as a straight search or a negative search like in our case) splunk has to scan all raw events to verify whether the event matches. It cannot use internal indexes of words to find only a subset of events which matches the condition.

Therefore you should, whenever possible, search for fixed strings.

And remember that while indexing events splunk splits them into words on whitespaces and punctuators. So "abc" will match both "abc def" as well as "whatever.abc.ding-dong".

Wildcards are often overused in splunk search and they might incur huge performance penalty.

Reply
Solved! Jump to solution

tdismukes
Engager
‎07-31-2014 01:51 PM

That was exactly what I needed, thanks.

0 Karma
Reply
Solved! Jump to solution

Jeff_Lightly_Sp
Communicator
‎07-31-2014 01:50 PM

Didn't see (or at least comprehend) the words 'contain'. That certainly could matter!

0 Karma
Reply
Solved! Jump to solution

Jeff_Lightly_Sp
Communicator
‎07-31-2014 01:37 PM

How about:

Your_SourceType (FieldX=ABC AND FieldY!=123)
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

    Thursday, June 25, 2026  |  11AM PDT / 2PM EDT  Duration: 1 Hour (Includes live Q&A) Register to ...

Analytics Workspace deprecation

As of Splunk Cloud Platform 10.4.2604 and Splunk Enterprise 10.4, Analytics Workspace is now deprecated. ...

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Splunk Developer Day brought the Splunk developer community together for a practical look at what it means to ...