Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk query for ignoring results with a regex pattern

malanirishi
New Member
‎05-19-2021 01:36 PM

Problem: I want to ignore all results from search that have message: <4 digits> in them. For example: { timestamp: 2021-05-17T22:30:06.299Z, level: error, message: 9173 }

Research done: I have looked into Splunk docs I tried implementing NOT regex "message: \d{4}" and "NOT rex "message: \d{4}" but it did not work.

 
Labels (2)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-19-2021 02:32 PM 
| makeresults
| eval _raw="{ timestamp: 2021-05-17T22:30:06.299Z, level: error, message: 9173 }
{ timestamp: 2021-05-17T22:30:06.299Z, level: error, message: 917 }
{ timestamp: 2021-05-17T22:30:06.299Z, level: error, message: 91733 }"
| multikv noheader=t
| fields _raw
| regex _raw!="message: \d{4}[^\d]"
0 Karma
Reply
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out &gt;&gt; As our brave ...