Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Splunk Search Syntax
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk Search Syntax
Hi,
I want to know the difference between the following 2 searches:
sourcetype="source" search NOT field2=*keyword* | table field1, field2, field3
and
sourcetype="source" | table field1, field2, field3 | search NOT field2=*keyword*
I am not getting all the relevant results with the first search query.
What I am trying to do is: I want to reduce the number of results returned by the sourcetype and later process them by piping the output to a regex.
the second splunk query takes a longer time to execute because it will at first extract all the results from the sourcetype and then apply a filter on field2.
I want to reduce the number of results extracted from the sourcetype itself while running the query to reduce the execution time of query.
something like in SQL:
select * from table where column_name LIKE '%keyword%'
so, here I have reduced the results returned by SQL query itself which can later be processed by piping the output to another expression.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your 1st query is searching for the events having the keyword 'search' (along with other conditions given the query). The events which doesn't have the 'search' keyword are dropped from your search result. Hence the different results you see.
The keyword 'search' should be after the '|' in your 1st query. Either remove the keyword 'search' from the query or add '|' symbol before 'search' keyword.
Please vote if you think this answer provided required clarification for you.
Regards
Jayanna Hallur
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, but aside from the typo, it's still a valuable question. The difference between the two
sourcetype="source" NOT field2=*keyword* | table field1, field2, field3
sourcetype="source" | table field1, field2, field3 | search NOT field2=*keyword*
is that the first one is slightly faster. They both should return the same result, but the first one eliminates a key:value pair before putting it into a table (which takes cycles.) The second one builds the table, then removes stuff.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You've misused the term "search" in your first search.
As you have it:
sourcetype="source" search NOT field2=*keyword* | table field1, field2, field3
The term "search" is being used as a keyword in a search. Ie find events in sourcetype="source" containing "search" but not having field2="keyword"
What you want is simply:
sourcetype="source" NOT field2=*keyword* | table field1, field2, field3
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
