Splunk Search
Highlighted

Search results that do not contain a word

Engager

I tried for an hour but couldn't find the answer. I need to search my syslogs from a specific host for entries that do not contain the word Interface my current search line is:

sourcetype="cisco_syslog" host="10.10.10.10"

I tried

sourcetype="cisco_syslog" host="10.10.10.10" | regex _raw(=|!=) [\ )?Interface(\] 

but it doesn't work.

I'm sure I'm close but I am terrible at regular expressions.

Tags (2)
Highlighted

Re: Search results that do not contain a word

Legend
sourcetype="cisco_syslog" host="10.10.10.10" NOT "interface"

http://www.splunk.com/base/Documentation/latest/User/StartSearching#Add_Boolean_expressions

Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.